RepairBuddy WordPress Plugin Missing Authorization Vulnerability in Settings Modification

A vulnerability exists in the RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress, allowing unauthorized access to admin-level plugin settings. This issue affects all versions through 4.1132. The vulnerability arises from two exposed AJAX handlers. The first, wc_rb_get_fresh_nonce(), enables any authenticated user to generate a valid WordPress nonce for arbitrary actions without capability checks. The second, wc_rep_shop_settings_submission(), verifies the nonce but fails to check user capabilities before updating over 15 plugin options. As a result, authenticated users with subscriber-level access and above can manipulate various plugin settings, including business details, logo, menu label, and GDPR options.

Impact

Exploitation of this vulnerability allows authenticated users to unauthorizedly modify a wide range of admin-level plugin settings, potentially leading to misconfigurations or abuse of plugin features.

Reproduction

To reproduce this vulnerability, an authenticated user with subscriber-level access can first generate a valid nonce using the wc_rb_get_fresh_nonce AJAX action. This nonce can then be used to authenticate a request to the wc_rep_shop_settings_submission AJAX action, which will update the user's plugin settings without proper authorization checks.

Remediation

Users are advised to update the RepairBuddy WordPress Plugin to version 4.1133 or later, where this vulnerability has been patched.