[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$focIpMVhCRyXHEkyNHyekwGd7SZ4Ia5XAdywkG2d6cHc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-39584","repairbuddy-repair-shop-crm-booking-plugin-for-wordpress-missing-authorization","RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress \u003C= 4.1132 - Missing Authorization","The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.1132. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unauthorized action.","computer-repair-shop",null,"\u003C=4.1132","4.1133","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Missing Authorization","2026-04-20 00:00:00","2026-04-30 15:01:53",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff570a9d2-41d7-42f2-9f13-4cda97ea2219?source=api-prod",11,[],"researched",false,3,"This research plan outlines the methodology for exploiting **CVE-2026-39584**, a Missing Authorization vulnerability in the **RepairBuddy – Repair Shop CRM & Booking Plugin**.\n\n### 1. Vulnerability Summary\nThe RepairBuddy plugin (\u003C= 4.1132) fails to implement adequate authorization checks on its AJAX handlers. While these handlers are registered for authenticated users (`wp_ajax_`), they lack internal capability checks (e.g., `current_user_can( 'manage_options' )`). This allows any authenticated user, including those with the **Subscriber** role, to execute privileged actions such as modifying business settings, managing inventory, or altering customer records.\n\n### 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Method:** POST\n* **Action Parameter:** `repairbuddy_save_business_settings` (inferred) or `rb_save_options` (inferred).\n* **Authentication:** Subscriber-level credentials or higher.\n* **Vulnerable Component:** The AJAX callback function fails to verify that the user has administrative permissions before processing the update request.\n\n### 3. Code Flow\n1. **Registration:** The plugin registers AJAX hooks in the main plugin file or an admin controller:\n `add_action( 'wp_ajax_repairbuddy_save_business_settings', array( $this, 'save_business_settings' ) );`\n2. **Dispatch:** `admin-ajax.php` receives a POST request with `action=repairbuddy_save_business_settings`.\n3. **Execution:** WordPress calls the callback `save_business_settings()`.\n4. **The Flaw:** The callback function checks for a valid nonce but fails to perform a capability check:\n ```php\n public function save_business_settings() {\n \u002F\u002F Potential check for nonce (often bypassed or easily obtained)\n check_ajax_referer( 'repairbuddy_nonce', 'nonce' ); \n \n \u002F\u002F MISSING: if (!current_user_can('manage_options')) { wp_die(); }\n\n $settings = $_POST['settings'];\n update_option('repairbuddy_settings', $settings);\n wp_send_json_success();\n }\n ```\n\n### 4. Nonce Acquisition Strategy\nThe plugin typically localizes a nonce for its admin interface. Since Subscribers can access `wp-admin\u002Fprofile.php` and many plugins enqueue their global admin scripts on all admin pages, the nonce is likely retrievable from the page source of the profile page.\n\n1. **Identify Localized Variable:** Look for `wp_localize_script` in the source code. Common identifiers in this plugin:\n * Variable Name: `repairbuddy_ajax_obj` (inferred) or `rb_admin_vars` (inferred).\n * Nonce Key: `nonce` or `rb_nonce`.\n2. **Creation of Page (If needed):** If scripts only load on specific pages, use WP-CLI to place the `[repairbuddy_booking_form]` (inferred) shortcode on a public page.\n3. **Extraction:**\n * Navigate to `\u002Fwp-admin\u002Fprofile.php` as a Subscriber.\n * Use `browser_eval`:\n `browser_eval(\"window.repairbuddy_ajax_obj?.nonce || window.rb_admin_vars?.nonce\")`\n\n### 5. Exploitation Strategy\nThe goal is to modify the shop's business name to prove unauthorized data modification.\n\n**Request Details:**\n* **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n* **Method:** POST\n* **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n* **Parameters:**\n * `action`: `repairbuddy_save_business_settings` (inferred)\n * `nonce`: `[EXTRACTED_NONCE]`\n * `business_name`: `HACKED_BY_SUBSCRIBER`\n * `business_email`: `attacker@example.com`\n\n*Note: The exact parameter structure (e.g., whether settings are nested in an array) must be verified by the agent by checking the plugin's `admin\u002Fassets\u002Fjs\u002Fadmin.js` or equivalent.*\n\n### 6. Test Data Setup\n1. **Install Plugin:** Ensure RepairBuddy \u003C= 4.1132 is active.\n2. **Create Attacker User:**\n `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n3. **Set Initial State:** Configure a default business name:\n `wp option update repairbuddy_settings '{\"business_name\":\"Original Shop Name\"}'` (Structure inferred).\n\n### 7. Expected Results\n* **Response:** A JSON success message: `{\"success\":true}` or `1`.\n* **Status Code:** 200 OK.\n* **Side Effect:** The plugin's business settings in the database are updated with the attacker-supplied values.\n\n### 8. Verification Steps\n1. **Check Database via WP-CLI:**\n `wp option get repairbuddy_settings`\n2. **Verify UI:**\n Navigate to the plugin's settings page as an admin and confirm the \"Business Name\" has changed to \"HACKED_BY_SUBSCRIBER\".\n\n### 9. Alternative Approaches\nIf `repairbuddy_save_business_settings` is not the exact action name:\n1. **Identify via Grep:**\n `grep -r \"wp_ajax_\" wp-content\u002Fplugins\u002Fcomputer-repair-shop\u002F`\n2. **Target Inventory\u002FItems:**\n Look for actions like `repairbuddy_add_item` or `repairbuddy_delete_customer`.\n3. **Check for Nonce-less Actions:**\n Some older versions of this plugin may have forgotten `check_ajax_referer` entirely on specific handlers, making them exploitable even without a nonce.\n4. **Check for Settings API:**\n If the plugin uses `register_setting`, try sending a POST to `wp-admin\u002Foptions.php` using the Subscriber session to see if the option group is unprotected.","The RepairBuddy plugin for WordPress fails to implement capability checks in its AJAX handlers, allowing any authenticated user (including Subscribers) to perform administrative actions. By exploiting this, an attacker can modify business settings, manage inventory, or alter customer records through the admin-ajax.php endpoint.","\u002F\u002F In computer-repair-shop\u002Fclasses\u002Frepairbuddy_admin.php or similar\n\nadd_action('wp_ajax_repairbuddy_save_business_settings', array($this, 'save_business_settings'));\n\npublic function save_business_settings() {\n \u002F\u002F Only checks nonce, not user capabilities\n check_ajax_referer('repairbuddy_nonce', 'nonce'); \n \n \u002F\u002F The lack of current_user_can('manage_options') check here allows unauthorized access\n $settings = $_POST['settings'];\n update_option('repairbuddy_settings', $settings);\n wp_send_json_success();\n}","--- a\u002Fclasses\u002Frepairbuddy_admin.php\n+++ b\u002Fclasses\u002Frepairbuddy_admin.php\n@@ -10,6 +10,10 @@\n public function save_business_settings() {\n check_ajax_referer('repairbuddy_nonce', 'nonce');\n+\n+ if (!current_user_can('manage_options')) {\n+ wp_send_json_error(__('You do not have permission to perform this action.', 'repairbuddy'));\n+ wp_die();\n+ }\n+\n $settings = $_POST['settings'];\n update_option('repairbuddy_settings', $settings);\n wp_send_json_success();","The exploit targets the AJAX interface in WordPress. An attacker with a Subscriber-level account logs into the WordPress dashboard and extracts a valid AJAX nonce (usually 'repairbuddy_nonce') from the HTML source or localized script variables on pages like \u002Fwp-admin\u002Fprofile.php. The attacker then sends a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to 'repairbuddy_save_business_settings' (or other administrative actions) and the extracted nonce. Because the server-side callback function only verifies the nonce and not the user's role\u002Fcapabilities, the attacker can successfully update plugin settings or perform other administrative functions by providing the corresponding POST parameters.","gemini-3-flash-preview","2026-05-04 19:59:01","2026-05-04 20:01:03",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","4.1132","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcomputer-repair-shop\u002Ftags\u002F4.1132","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcomputer-repair-shop.4.1132.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcomputer-repair-shop\u002Ftags\u002F4.1133","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fcomputer-repair-shop.4.1133.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcomputer-repair-shop\u002Ftags"]