WP-Safety
CVE-2026-0820

RepairBuddy <= 4.1116 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Signature Upload to Orders

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
4.1121
Patched in
70d
Time to patch

Description

The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wc_upload_and_save_signature_handler function in all versions up to, and including, 4.1116. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary signatures to any order in the system, potentially modifying order metadata and triggering unauthorized status changes.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.1116
PublishedJanuary 16, 2026
Last updatedMarch 27, 2026
Affected plugincomputer-repair-shop

Source Code

WordPress.org SVN
Vulnerable v4.1116
Browse source Download .zip
Patched

Patched version not available.

Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-0820 (RepairBuddy IDOR) ## 1. Vulnerability Summary The **RepairBuddy** plugin (version <= 4.1116) contains an Insecure Direct Object Reference (IDOR) vulnerability in its signature upload functionality. The AJAX handler `wc_upload_and_save_signature_handler` …

Show full research plan

Exploitation Research Plan: CVE-2026-0820 (RepairBuddy IDOR)

1. Vulnerability Summary

The RepairBuddy plugin (version <= 4.1116) contains an Insecure Direct Object Reference (IDOR) vulnerability in its signature upload functionality. The AJAX handler wc_upload_and_save_signature_handler fails to perform any authorization or ownership checks on the order_id provided by the user. Consequently, any authenticated user (including low-privileged Subscriber accounts) can upload and attach a signature image to any order in the system by simply specifying the target order_id. This can lead to unauthorized modification of order metadata and potentially trigger unintended state changes in the repair workflow.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: wc_upload_and_save_signature (inferred from handler name)
  • Vulnerable Function: wc_upload_and_save_signature_handler
  • Authentication: Required (Subscriber level or higher).
  • HTTP Parameter: order_id (The ID of the target order).
  • Payload Parameter: signature (Likely a Base64 encoded string or a multipart file upload).
  • Preconditions: The attacker must be logged in as a Subscriber and know (or brute-force) a valid order_id.

3. Code Flow (Inferred)

  1. Hook Registration: The plugin registers the AJAX handler via:
    add_action('wp_ajax_wc_upload_and_save_signature', 'wc_upload_and_save_signature_handler');
  2. Entry Point: A POST request is sent to admin-ajax.php with action=wc_upload_and_save_signature.
  3. Execution: The wc_upload_and_save_signature_handler function is invoked.
  4. Processing:
    • It retrieves order_id from $_POST['order_id'].
    • It retrieves signature data from $_POST['signature'] (often a Base64 data URL in signature plugins).
    • The Flaw: It proceeds to save the signature as a file and update the order's metadata (e.g., update_post_meta($order_id, 'repair_order_signature', ... )) without calling current_user_can() or checking if the current user ID matches the order's customer ID.

4. Nonce Acquisition Strategy

The endpoint likely requires a nonce for the wc_upload_and_save_signature action.

  1. Locate Nonce Registration: Search the codebase for wp_create_nonce. Based on plugin naming conventions, it is likely registered in an enqueue script hook:
    • Grep: grep -r "wp_localize_script" .
  2. Identify JS Variable: Look for the localization key, likely something like repairbuddy_ajax or rb_vars.
  3. Trigger Script Loading: The signature functionality is usually found on the Order Details or Checkout pages. Identify the shortcode used for order management (e.g., [repairbuddy_order_tracking]).
  4. Extraction Plan:
    • Create a test page: wp post create --post_type=page --post_status=publish --post_content='[repairbuddy_order_tracking]'
    • Navigate to the page as a Subscriber.
    • Execute: browser_eval("repairbuddy_ajax?.nonce") (Replace repairbuddy_ajax with the actual identifier found in the source).

5. Exploitation Strategy

Step 1: Authentication

Login as a Subscriber user to obtain a session cookie.

Step 2: Target Identification

Identify a valid order_id belonging to another user (e.g., Admin). WordPress order IDs are standard Post IDs.

Step 3: Payload Preparation

Create a dummy signature (Base64 encoded transparent PNG):
data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mNkYAAAAAYAAjCB0C8AAAAASUVORK5CYII=

Step 4: Execution via http_request

Send the malicious request to attach the signature to the Admin's order.

Request:

  • URL: http://<target>/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
action=wc_upload_and_save_signature&order_id=TARGET_ORDER_ID&signature=BASE64_DATA&nonce=EXTRACTED_NONCE

6. Test Data Setup

  1. Admin Setup:
    • Create a Repair Order (Post Type: repair_order or wp_repair_buddy_order depending on plugin internals).
    • Note the ID of this order (e.g., ID 123).
  2. Attacker Setup:
    • Create a user with the Subscriber role.
  3. Environment Setup:
    • Place the relevant shortcode (e.g., [repairbuddy_order_tracking]) on a public page to facilitate nonce extraction.

7. Expected Results

  • The AJAX response should return a success status (e.g., {"success": true}).
  • The target order (owned by Admin) will have a new file generated in the wp-content/uploads/ directory representing the signature.
  • The order metadata for TARGET_ORDER_ID will point to the newly uploaded signature file.

8. Verification Steps

  1. WP-CLI Check:
    Check the post meta for the target order ID:
    wp post meta get TARGET_ORDER_ID repair_order_signature (Note: the meta key name may vary; use wp post meta list TARGET_ORDER_ID to find the exact key).
  2. Filesystem Check:
    Verify the signature file exists:
    ls -la wp-content/uploads/repairbuddy/signatures/ (inferred path).
  3. Admin UI Check:
    Navigate to the RepairBuddy Orders page in the WordPress dashboard and view the order. The unauthorized signature should be visible in the order details.

9. Alternative Approaches

  • Status Manipulation: If the wc_upload_and_save_signature_handler also triggers an order status change (e.g., from "Pending" to "Signed/Approved"), verify if the order status was modified by the Subscriber.
  • Base64 vs. File: If the plugin uses $_FILES instead of a Base64 string, adjust the http_request to use multipart/form-data.
  • Parameter Brute-force: If the nonce is not required (a common secondary vulnerability), attempt the request without the nonce parameter.
Research Findings
Static analysis — not yet PoC-verified

Summary

The RepairBuddy plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) flaw in its signature upload functionality. Authenticated attackers with Subscriber-level access or higher can upload and attach arbitrary signature images to any order in the system by supplying a target order ID, as the plugin fails to verify if the user has permission to modify the specified order.

Vulnerable Code

// Inferred from plugin functionality and research plan
add_action('wp_ajax_wc_upload_and_save_signature', 'wc_upload_and_save_signature_handler');

function wc_upload_and_save_signature_handler() {
    // No capability check or ownership verification exists here
    $order_id = $_POST['order_id'];
    $signature_data = $_POST['signature'];

    // Processing logic to save base64 signature to a file
    // ...

    // Vulnerably updating metadata for an arbitrary order_id
    update_post_meta($order_id, 'repair_order_signature', $signature_file_url);

    wp_send_json_success(array('message' => 'Signature saved'));
}

Security Fix

--- a/includes/ajax-functions.php
+++ b/includes/ajax-functions.php
@@ -10,6 +10,13 @@
 function wc_upload_and_save_signature_handler() {
+    check_ajax_referer('repairbuddy_nonce', 'nonce');
+
     $order_id = isset($_POST['order_id']) ? intval($_POST['order_id']) : 0;
 
+    if (!current_user_can('edit_post', $order_id)) {
+        wp_send_json_error(array('message' => 'You do not have permission to modify this order.'));
+        return;
+    }
+
     $signature_data = isset($_POST['signature']) ? $_POST['signature'] : '';
 
     if (empty($signature_data)) {

Exploit Outline

The exploit targets the `wc_upload_and_save_signature` AJAX action. An attacker first authenticates as a Subscriber and visits a page containing the `[repairbuddy_order_tracking]` shortcode to retrieve a valid security nonce. The attacker then identifies a target `order_id` (representing an order they do not own) and sends a POST request to `/wp-admin/admin-ajax.php`. The payload includes the target `order_id`, the extracted `nonce`, the `action` parameter, and a Base64-encoded string representing the signature image. Because the backend handler lacks authorization checks, it processes the upload and updates the metadata for the target order, effectively forging a signature on the victim's record.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/1b2ad299-03b1-4b9e-a241-d2ad2d85c3ac?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database