CVE-2026-24638

RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress <= 4.1121 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
4.1125
Patched in
1d
Time to patch

Description

The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.1121. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.1121
PublishedMay 26, 2026
Last updatedMay 26, 2026
Affected plugincomputer-repair-shop

What Changed in the Fix

Changes introduced in v4.1125

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-24638 (RepairBuddy Missing Authorization) ## 1. Vulnerability Summary The **RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress** (versions <= 4.1121) is vulnerable to a missing authorization check. Specifically, administrative functions responsible f…

Show full research plan

Exploitation Research Plan: CVE-2026-24638 (RepairBuddy Missing Authorization)

1. Vulnerability Summary

The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress (versions <= 4.1121) is vulnerable to a missing authorization check. Specifically, administrative functions responsible for plugin setup, such as wc_rb_create_default_pages (located in activate.php), are potentially exposed to low-privileged users. The plugin registers a main admin menu page with the read capability, allowing any authenticated user (including Subscribers) to access the plugin's dashboard logic. If setup functions are hooked to admin_init or exposed via AJAX without additional capability checks (current_user_can( 'manage_options' )), a subscriber can trigger unauthorized actions such as creating multiple WordPress pages and updating site options.

2. Attack Vector Analysis

  • Endpoint: wp-admin/admin-ajax.php or wp-admin/admin.php?page=wc-computer-rep-shop-handle.
  • Action: Inferred AJAX action wcrb_create_pages or the admin_init hook triggering wc_rb_create_default_pages.
  • Payload: action=wcrb_create_pages (for AJAX) or simply visiting the dashboard.
  • Authentication: Authenticated user with Subscriber role.
  • Preconditions: The plugin option wc_rb_setup_pages_once must not be set to 'YES', or the attacker must find a way to reset it. In a default installation where the admin hasn't completed the setup wizard, a subscriber can hijack the process.

3. Code Flow

  1. Hook Registration: The plugin likely hooks wc_rb_create_default_pages to admin_init or an AJAX action (wp_ajax_wcrb_create_pages).
  2. Entry Point: A subscriber sends a request to admin-ajax.php or visits the admin dashboard (accessible via the read capability in admin_menu.php).
  3. Execution:
    • The function wc_rb_create_default_pages() in activate.php is called.
    • It checks get_option( 'wc_rb_setup_pages_once' ).
    • If not 'YES', it proceeds to call wp_insert_post() multiple times to create pages like "Job Status", "Review Your Job", etc.
    • It updates options like wc_rb_status_check_page_id and finally sets wc_rb_setup_pages_once to 'YES'.
  4. Sink: wp_insert_post() (database modification) and update_option() (configuration change).

4. Nonce Acquisition Strategy

Missing Authorization vulnerabilities of this type in RepairBuddy often lack both capability checks and CSRF protection (nonces).
If a nonce is required, the execution agent should:

  1. Navigate to the plugin's main dashboard as a Subscriber: /wp-admin/admin.php?page=wc-computer-rep-shop-handle.
    2
Research Findings
Static analysis — not yet PoC-verified

Summary

The RepairBuddy plugin for WordPress is vulnerable to unauthorized access because it registers its primary admin dashboard with the 'read' capability and lacks proper authorization checks on administrative functions. This allows authenticated users with low privileges, such as Subscribers, to trigger setup processes that create pages and update site options.

Vulnerable Code

// activate.php line 54
if ( ! function_exists( 'wc_rb_create_default_pages' ) ) {
	function wc_rb_create_default_pages() {
		//Check if pages are setup
		$pages_setup_status = get_option( 'wc_rb_setup_pages_once' );

		if ( $pages_setup_status == 'YES' ) {
			return '';
		}

		if ( empty( get_option( 'wc_rb_status_check_page_id' ) ) ) {
			//Setup Status Check page.
			$theReturnId = $page_args = '';
			$page_args = array(
				'post_title'    => esc_html__( 'Job Status', 'computer-repair-shop' ),
				'post_content'  => '[wc_order_status_form]',
				'post_status'   => 'publish',
				'post_author'   => 1,
				'post_type'     => 'page',
			);
			// Insert the post into the database
			$theReturnId = wp_insert_post( $page_args );

			update_option( 'wc_rb_status_check_page_id', $theReturnId );
		}
        // ...
		update_option( 'wc_rb_setup_pages_once', 'YES' );
	}
}

--- 

// admin_menu.php line 26
add_menu_page( esc_html( $menu_name_p ), esc_html( $menu_name_p ), 'read', 'wc-computer-rep-shop-handle', 'wc_comp_repair_shop_main', plugins_url( 'assets/admin/images/computer-repair.png', __FILE__ ), '50' );

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/computer-repair-shop/4.1116/assets/admin/js/ajax_scripts.js /home/deploy/wp-safety.org/data/plugin-versions/computer-repair-shop/4.1125/assets/admin/js/ajax_scripts.js
--- /home/deploy/wp-safety.org/data/plugin-versions/computer-repair-shop/4.1116/assets/admin/js/ajax_scripts.js	2025-12-26 17:01:38.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/computer-repair-shop/4.1125/assets/admin/js/ajax_scripts.js	2026-02-10 00:49:14.000000000 +0000
@@ -1578,6 +1578,7 @@
 		var recordName		= $('[name="add_history_note"]').val();
 		var recordType	  	= $('[name="wc_history_type"]').val();
 		var emailCustomer	= $('[name="wc_email_customer_manual_msg"]:checked').val();
+		var theNonce 		= $('#theNonce').val();
 		
 		if(recordID == "") {
 			alert("Please select correct value");
@@ -1590,7 +1591,8 @@
 					'recordID': recordID,
 					'recordName': recordName,
 					'emailCustomer': emailCustomer,
-					'recordType': recordType
+					'recordType': recordType,
+					'theNonce': theNonce
 				},

Exploit Outline

An attacker with Subscriber-level authentication can exploit this vulnerability by accessing the plugin's administration page at '/wp-admin/admin.php?page=wc-computer-rep-shop-handle'. Because this menu page is incorrectly registered with the 'read' capability, low-privileged users are permitted to access the plugin dashboard logic. This access triggers functions such as 'wc_rb_create_default_pages' (often hooked to administrative initialization), which perform sensitive actions like creating new WordPress pages via wp_insert_post() and updating global options, without verifying if the user has the 'manage_options' capability.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.