CVE-2026-3567: RepairBuddy WordPress Auth Bypass Flaw

CVE-2026-3567 Overview

The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress contains an authorization bypass vulnerability that allows authenticated users with minimal privileges to modify administrative plugin settings. This vulnerability affects all versions up to and including 4.1132 and stems from missing capability checks in two AJAX handlers that, when exploited together, enable unauthorized configuration changes.

Critical Impact

Authenticated attackers with subscriber-level access can modify all plugin configuration settings including business name, email, logo, menu label, and GDPR settings by exploiting missing capability checks in AJAX handlers.

Affected Products

• RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress versions up to and including 4.1132
• WordPress installations running vulnerable versions of the computer-repair-shop plugin

Discovery Timeline

• 2026-03-21 - CVE-2026-3567 published to NVD
• 2026-03-23 - Last updated in NVD database

Technical Details for CVE-2026-3567

Vulnerability Analysis

This vulnerability is classified as CWE-862 (Missing Authorization) and represents a broken access control flaw in the RepairBuddy WordPress plugin. The vulnerability exists due to the plugin's failure to implement proper capability checks on sensitive administrative functions.

The attack exploits a two-step process involving two separate AJAX handlers. First, an attacker leverages the wc_rb_get_fresh_nonce() function, which is registered via both wp_ajax and wp_ajax_nopriv hooks. This function generates valid WordPress nonces for any arbitrary action name simply by providing a nonce_name parameter, without any capability verification. This nonce-minting capability should be restricted to administrators but is accessible to any authenticated user.

Second, the wc_rep_shop_settings_submission() function only verifies that a valid nonce (wcrb_main_setting_nonce) is present but performs no current_user_can() capability check before executing update_option() calls on more than 15 plugin options. This means any user who can generate a valid nonce can modify plugin settings.

Root Cause

The root cause of this vulnerability is the absence of authorization checks (specifically WordPress current_user_can() calls) in two critical AJAX handler functions. The wc_rb_get_fresh_nonce() function lacks any capability check before generating nonces, and the wc_rep_shop_settings_submission() function relies solely on nonce verification without validating user capabilities. This violates the security principle that authorization should be independent of authentication tokens, and that administrative functions must verify user roles before execution.

Attack Vector

The attack is network-based and requires only subscriber-level authentication to the WordPress site. An attacker first authenticates with any valid WordPress account (even a basic subscriber), then makes an AJAX request to the wc_rb_get_fresh_nonce endpoint with the parameter nonce_name=wcrb_main_setting_nonce to obtain a valid nonce. With this nonce in hand, the attacker can then call the settings submission handler to modify any of the 15+ plugin configuration options, including business identity information, email addresses, logo URLs, menu labels, and GDPR compliance settings.

The vulnerability is particularly concerning because it allows attackers to:

• Modify business contact information displayed to customers
• Change GDPR consent settings potentially causing compliance issues
• Alter plugin branding and menu labels
• Redirect business communications by changing email settings

Detection Methods for CVE-2026-3567

Indicators of Compromise

• Unexpected AJAX requests to wc_rb_get_fresh_nonce endpoint from low-privilege user sessions
• Plugin settings changes logged without corresponding administrator activity
• Modified RepairBuddy configuration values such as business name, email, or logo that were not authorized by administrators
• Anomalous WordPress option updates to plugin settings from non-admin user contexts

Detection Strategies

• Monitor WordPress AJAX request logs for calls to wc_rb_get_fresh_nonce and wc_rep_shop_settings_submission from non-administrator user sessions
• Implement file integrity monitoring on the RepairBuddy plugin files to detect unauthorized changes
• Review WordPress wp_options table for unexpected modifications to RepairBuddy settings
• Enable WordPress debug logging to capture AJAX handler activity

Monitoring Recommendations

• Configure web application firewall rules to flag suspicious AJAX requests targeting the vulnerable endpoints
• Implement user activity logging to track settings changes and correlate them with authenticated user capabilities
• Set up alerts for configuration changes to critical plugin settings outside of normal administrative workflows

How to Mitigate CVE-2026-3567

Immediate Actions Required

• Update RepairBuddy – Repair Shop CRM & Booking Plugin to a version newer than 4.1132 that includes the security fix
• Audit plugin settings for any unauthorized modifications that may have occurred
• Review user accounts with subscriber-level or higher access for suspicious activity
• Temporarily restrict plugin settings access by disabling AJAX handlers if an immediate update is not possible

Patch Information

A security patch is available through the WordPress plugin repository. The fix addresses the missing authorization checks by implementing proper current_user_can() capability verification in both the wc_rb_get_fresh_nonce() and wc_rep_shop_settings_submission() functions. Administrators should update to the latest available version as documented in the WordPress Plugin Changeset. Additional technical details are available in the Wordfence Vulnerability Report.

Workarounds

• Restrict WordPress subscriber and contributor user registrations until the plugin is patched
• Implement a Web Application Firewall (WAF) rule to block AJAX requests to the vulnerable wc_rb_get_fresh_nonce endpoint from non-administrator users
• Temporarily deactivate the RepairBuddy plugin if it is not critical to business operations until a patched version can be deployed
• Add custom code to the theme's functions.php to remove the vulnerable AJAX action hooks as a temporary measure

# Verify current plugin version and check for updates
wp plugin list --name=computer-repair-shop --format=table
wp plugin update computer-repair-shop

# Review recent plugin option changes in the database
wp db query "SELECT option_name, option_value FROM wp_options WHERE option_name LIKE '%wcrb%' OR option_name LIKE '%repair%';"