[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fQoTwgtfmYzNrhhgvUNwiT4kmR9XIRCCaynIWlO41t-U":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":28,"research_verified":29,"research_rounds_completed":30,"research_plan":31,"research_summary":32,"research_vulnerable_code":33,"research_fix_diff":34,"research_exploit_outline":35,"research_model_used":36,"research_started_at":37,"research_completed_at":38,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":29,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":29,"source_links":39},"CVE-2026-24638","repairbuddy-repair-shop-crm-booking-plugin-for-wordpress-missing-authorization-2","RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress \u003C= 4.1121 - Missing Authorization","The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.1121. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","computer-repair-shop",null,"\u003C=4.1121","4.1125","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-05-26 00:00:00","2026-05-26 19:25:25",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F7a69cc6e-cbb7-4b66-8a55-709e29273378?source=api-prod",1,[22,23,24,25,26,27],"activate.php","admin_menu.php","assets\u002Fadmin\u002Fcss\u002Fstyle.css","assets\u002Fadmin\u002Fjs\u002Fajax_scripts.js","assets\u002Fadmin\u002Fjs\u002Fmy-admin.js","assets\u002Fcss\u002Fstyle.css","researched",false,3,"# Exploitation Research Plan: CVE-2026-24638 (RepairBuddy Missing Authorization)\n\n## 1. Vulnerability Summary\nThe **RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress** (versions \u003C= 4.1121) is vulnerable to a missing authorization check. Specifically, administrative functions responsible for plugin setup, such as `wc_rb_create_default_pages` (located in `activate.php`), are potentially exposed to low-privileged users. The plugin registers a main admin menu page with the `read` capability, allowing any authenticated user (including **Subscribers**) to access the plugin's dashboard logic. If setup functions are hooked to `admin_init` or exposed via AJAX without additional capability checks (`current_user_can( 'manage_options' )`), a subscriber can trigger unauthorized actions such as creating multiple WordPress pages and updating site options.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: `wp-admin\u002Fadmin-ajax.php` or `wp-admin\u002Fadmin.php?page=wc-computer-rep-shop-handle`.\n- **Action**: Inferred AJAX action `wcrb_create_pages` or the `admin_init` hook triggering `wc_rb_create_default_pages`.\n- **Payload**: `action=wcrb_create_pages` (for AJAX) or simply visiting the dashboard.\n- **Authentication**: Authenticated user with **Subscriber** role.\n- **Preconditions**: The plugin option `wc_rb_setup_pages_once` must not be set to `'YES'`, or the attacker must find a way to reset it. In a default installation where the admin hasn't completed the setup wizard, a subscriber can hijack the process.\n\n## 3. Code Flow\n1. **Hook Registration**: The plugin likely hooks `wc_rb_create_default_pages` to `admin_init` or an AJAX action (`wp_ajax_wcrb_create_pages`).\n2. **Entry Point**: A subscriber sends a request to `admin-ajax.php` or visits the admin dashboard (accessible via the `read` capability in `admin_menu.php`).\n3. **Execution**:\n   - The function `wc_rb_create_default_pages()` in `activate.php` is called.\n   - It checks `get_option( 'wc_rb_setup_pages_once' )`.\n   - If not `'YES'`, it proceeds to call `wp_insert_post()` multiple times to create pages like \"Job Status\", \"Review Your Job\", etc.\n   - It updates options like `wc_rb_status_check_page_id` and finally sets `wc_rb_setup_pages_once` to `'YES'`.\n4. **Sink**: `wp_insert_post()` (database modification) and `update_option()` (configuration change).\n\n## 4. Nonce Acquisition Strategy\nMissing Authorization vulnerabilities of this type in RepairBuddy often lack both capability checks and CSRF protection (nonces). \nIf a nonce is required, the execution agent should:\n1. Navigate to the plugin's main dashboard as a Subscriber: `\u002Fwp-admin\u002Fadmin.php?page=wc-computer-rep-shop-handle`.\n2","The RepairBuddy plugin for WordPress is vulnerable to unauthorized access because it registers its primary admin dashboard with the 'read' capability and lacks proper authorization checks on administrative functions. This allows authenticated users with low privileges, such as Subscribers, to trigger setup processes that create pages and update site options.","\u002F\u002F activate.php line 54\nif ( ! function_exists( 'wc_rb_create_default_pages' ) ) {\n\tfunction wc_rb_create_default_pages() {\n\t\t\u002F\u002FCheck if pages are setup\n\t\t$pages_setup_status = get_option( 'wc_rb_setup_pages_once' );\n\n\t\tif ( $pages_setup_status == 'YES' ) {\n\t\t\treturn '';\n\t\t}\n\n\t\tif ( empty( get_option( 'wc_rb_status_check_page_id' ) ) ) {\n\t\t\t\u002F\u002FSetup Status Check page.\n\t\t\t$theReturnId = $page_args = '';\n\t\t\t$page_args = array(\n\t\t\t\t'post_title'    => esc_html__( 'Job Status', 'computer-repair-shop' ),\n\t\t\t\t'post_content'  => '[wc_order_status_form]',\n\t\t\t\t'post_status'   => 'publish',\n\t\t\t\t'post_author'   => 1,\n\t\t\t\t'post_type'     => 'page',\n\t\t\t);\n\t\t\t\u002F\u002F Insert the post into the database\n\t\t\t$theReturnId = wp_insert_post( $page_args );\n\n\t\t\tupdate_option( 'wc_rb_status_check_page_id', $theReturnId );\n\t\t}\n        \u002F\u002F ...\n\t\tupdate_option( 'wc_rb_setup_pages_once', 'YES' );\n\t}\n}\n\n--- \n\n\u002F\u002F admin_menu.php line 26\nadd_menu_page( esc_html( $menu_name_p ), esc_html( $menu_name_p ), 'read', 'wc-computer-rep-shop-handle', 'wc_comp_repair_shop_main', plugins_url( 'assets\u002Fadmin\u002Fimages\u002Fcomputer-repair.png', __FILE__ ), '50' );","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcomputer-repair-shop\u002F4.1116\u002Fassets\u002Fadmin\u002Fjs\u002Fajax_scripts.js \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcomputer-repair-shop\u002F4.1125\u002Fassets\u002Fadmin\u002Fjs\u002Fajax_scripts.js\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcomputer-repair-shop\u002F4.1116\u002Fassets\u002Fadmin\u002Fjs\u002Fajax_scripts.js\t2025-12-26 17:01:38.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fcomputer-repair-shop\u002F4.1125\u002Fassets\u002Fadmin\u002Fjs\u002Fajax_scripts.js\t2026-02-10 00:49:14.000000000 +0000\n@@ -1578,6 +1578,7 @@\n \t\tvar recordName\t\t= $('[name=\"add_history_note\"]').val();\n \t\tvar recordType\t  \t= $('[name=\"wc_history_type\"]').val();\n \t\tvar emailCustomer\t= $('[name=\"wc_email_customer_manual_msg\"]:checked').val();\n+\t\tvar theNonce \t\t= $('#theNonce').val();\n \t\t\n \t\tif(recordID == \"\") {\n \t\t\talert(\"Please select correct value\");\n@@ -1590,7 +1591,8 @@\n \t\t\t\t\t'recordID': recordID,\n \t\t\t\t\t'recordName': recordName,\n \t\t\t\t\t'emailCustomer': emailCustomer,\n-\t\t\t\t\t'recordType': recordType\n+\t\t\t\t\t'recordType': recordType,\n+\t\t\t\t\t'theNonce': theNonce\n \t\t\t\t},","An attacker with Subscriber-level authentication can exploit this vulnerability by accessing the plugin's administration page at '\u002Fwp-admin\u002Fadmin.php?page=wc-computer-rep-shop-handle'. Because this menu page is incorrectly registered with the 'read' capability, low-privileged users are permitted to access the plugin dashboard logic. This access triggers functions such as 'wc_rb_create_default_pages' (often hooked to administrative initialization), which perform sensitive actions like creating new WordPress pages via wp_insert_post() and updating global options, without verifying if the user has the 'manage_options' capability.","gemini-3-flash-preview","2026-06-04 20:54:55","2026-06-04 20:56:10",{"type":40,"vulnerable_version":41,"fixed_version":11,"vulnerable_browse":42,"vulnerable_zip":43,"fixed_browse":44,"fixed_zip":45,"all_tags":46},"plugin","4.1116","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcomputer-repair-shop\u002Ftags\u002F4.1116","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcomputer-repair-shop.4.1116.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcomputer-repair-shop\u002Ftags\u002F4.1125","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcomputer-repair-shop.4.1125.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcomputer-repair-shop\u002Ftags"]