CVE-2026-3567 in RepairBuddy Plugin
Summary
by MITRE • 03/21/2026
The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 4.1132. The plugin exposes two AJAX handlers that, when combined, allow any authenticated user to modify admin-level plugin settings. First, the wc_rb_get_fresh_nonce() function (registered via wp_ajax and wp_ajax_nopriv hooks) allows any user to generate a valid WordPress nonce for any arbitrary action name by simply providing the nonce_name parameter, with no capability checks. Second, the wc_rep_shop_settings_submission() function only verifies the nonce (wcrb_main_setting_nonce) but performs no current_user_can() capability check before updating 15+ plugin options via update_option(). This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin configuration settings including business name, email, logo, menu label, GDPR settings, and more by first minting a valid nonce via the wc_rb_get_fresh_nonce endpoint and then calling the settings submission handler.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
The vulnerability identified in CVE-2026-3567 affects the RepairBuddy WordPress plugin, a repair shop CRM and booking solution that has been found to contain critical authorization flaws. This issue impacts all versions up to and including 4.1132, creating a significant security risk for WordPress sites that utilize this plugin. The vulnerability stems from a fundamental flaw in the plugin's access control mechanisms, specifically within its AJAX handler implementations that govern administrative configuration settings. The flaw allows any authenticated user to escalate their privileges and modify critical plugin parameters without proper authorization checks.
The technical exploitation of this vulnerability involves two distinct but interconnected functions that together create a privilege escalation path. The wc_rb_get_fresh_nonce() function operates through both wp_ajax and wp_ajax_nopriv hooks, which means it can be accessed by any user regardless of their authentication status or capabilities. This function accepts a nonce_name parameter and generates valid nonces for arbitrary action names without performing any capability verification or access control checks. This behavior directly violates security principles outlined in CWE-284, which addresses improper access control mechanisms, and represents a classic example of insecure direct object reference vulnerability where the system fails to validate user permissions before granting access to sensitive operations.
The second component of this vulnerability is the wc_rep_shop_settings_submission() function which demonstrates a critical failure in input validation and privilege enforcement. This function performs a nonce check using wcrb_main_setting_nonce but completely omits any capability verification through current_user_can() checks before proceeding with updates to over fifteen plugin options. The absence of proper access control validation in this function creates a scenario where any authenticated user can execute administrative operations, effectively bypassing the intended permission model. This flaw directly maps to CWE-285, which addresses insufficient authorization checks, and represents a dangerous lack of principle of least privilege implementation. The function updates critical configuration parameters including business name, email addresses, logo files, menu labels, and GDPR compliance settings, making the compromise potentially devastating for plugin users.
The operational impact of this vulnerability is substantial as it allows attackers with subscriber-level access or higher to completely compromise plugin security configurations. An authenticated attacker can manipulate core business settings, potentially redirecting customer information to malicious endpoints, altering compliance configurations that could violate data protection regulations, or modifying branding elements to create social engineering opportunities. The vulnerability essentially allows for complete administrative control over the plugin's configuration without requiring elevated privileges, making it particularly dangerous for organizations that rely on the plugin for business-critical operations. This type of vulnerability aligns with ATT&CK technique T1078.004, which covers valid accounts with elevated privileges, as the attack leverages legitimate user accounts to escalate privileges through flawed authorization mechanisms.
The mitigation strategy for this vulnerability requires immediate patching of the plugin to version 4.1133 or later, which should include proper capability checks and access control enforcement. Administrators should also implement additional security measures such as restricting access to plugin AJAX endpoints through firewall rules or implementing rate limiting for nonce generation requests. The vulnerability highlights the importance of proper input validation and privilege enforcement in WordPress plugins, particularly those handling sensitive configuration data. Security monitoring should be enhanced to detect unusual patterns in plugin configuration changes, and regular security audits of WordPress plugins should be conducted to identify similar authorization flaws. Organizations should also consider implementing network segmentation and access controls to limit the potential impact of such vulnerabilities in their environments. The fix should implement comprehensive capability checks using current_user_can() before any administrative operations are performed, ensuring that only users with appropriate permissions can modify plugin settings.