Attack Vectors

CVE-2026-3567 is a Medium-severity vulnerability (CVSS 5.3, vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) affecting RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress (slug: computer-repair-shop) in versions <= 4.1132.

The risk centers on the plugin’s AJAX functionality. According to the published advisory, two AJAX handlers can be combined so that any authenticated user (Subscriber or higher) may be able to modify admin-level plugin settings through the wc_rep_shop_settings_submission AJAX action.

Importantly, one of the involved functions, wc_rb_get_fresh_nonce(), is registered via both wp_ajax and wp_ajax_nopriv hooks and allows generation of a valid WordPress nonce for an arbitrary action name using a nonce_name parameter without capability checks. This can lower the barrier to producing the “right” nonce values used in follow-on requests.

Security Weakness

This issue is a classic missing authorization problem: the plugin’s settings-change pathway relies on nonce verification but does not enforce appropriate role/capability checks to ensure that only administrators (or intended privileged roles) can change sensitive configuration.

Nonces are designed to help protect against certain request-forgery scenarios, but they are not a substitute for authorization. When a plugin also provides a mechanism to generate nonces without enforcing permissions (as described in the advisory), it can further undermine the control that nonce checks are intended to provide.

Remediation: Update RepairBuddy to version 4.1133 or a newer patched release. Reference: Wordfence vulnerability advisory and CVE record.

Technical or Business Impacts

Because this vulnerability enables unauthorized modification of admin-level plugin settings, the business impact is primarily around operational integrity and trust. For a repair shop website running bookings and CRM workflows, unauthorized settings changes can disrupt customer intake, scheduling, and communications—creating avoidable revenue loss and customer churn.

Potential business impacts include:

• Booking and workflow disruption: changes to plugin settings may alter how appointments, requests, or customer interactions are processed, potentially causing missed or misrouted leads.
• Brand and customer experience damage: misconfiguration can lead to broken forms, unexpected site behavior, or inconsistent customer communications that erode confidence.
• Compliance and audit concerns: unauthorized configuration changes complicate change-control, incident response, and evidence gathering for internal compliance requirements.
• Increased incident cost: even without direct data theft indicated in the advisory, time spent triaging “mysterious” configuration changes and restoring expected behavior can be significant.

Similar attacks (real-world examples): vulnerabilities in widely deployed web platforms and plugins are frequently weaponized quickly, increasing the urgency of patching and monitoring. Examples include CVE-2020-25213 (WP File Manager), CVE-2021-34646 (WooCommerce), and CVE-2021-29447 (WordPress).