Skip to main content

RepairBuddy CVE-2026-39584

| EUVDEUVD-2026-36967 MEDIUM
Missing Authorization (CWE-862)
2026-06-15 Patchstack GHSA-q8xf-858j-xmfh
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-accessible broken access control requiring only a subscriber account (PR:L); confidentiality impact is high via unauthorized data read with no integrity or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 23:10 vuln.today

DescriptionCVE.org

Subscriber Broken Access Control in RepairBuddy <= 4.1132 versions.

AnalysisAI

Broken access control in the RepairBuddy WordPress plugin (versions ≤ 4.1132) allows subscriber-level authenticated users to access restricted functionality or sensitive data without adequate authorization checks. The CVSS vector (PR:L, C:H, I:N, A:N) confirms that low-privileged users - specifically WordPress subscribers, the lowest authenticated role - can achieve high confidentiality impact, likely by reading repair orders, customer PII, or administrative data reserved for shop managers and admins. No public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

RepairBuddy is a WordPress plugin by Webful Creations designed for computer repair shops to manage repair tickets, customer records, and shop operations. The root cause is CWE-862 (Missing Authorization): the plugin fails to enforce role-based access checks on one or more internal endpoints or AJAX actions, allowing subscribers - the lowest WordPress user tier - to invoke privileged functionality. In WordPress, subscriber accounts are often freely registerable on public-facing sites, lowering the barrier to exploitation. The affected CPE (cpe:2.3:a:webful_creations:repairbuddy:*:*:*:*:*:*:*:*) spans all versions through and including 4.1132. Note that the 'Authentication Bypass' tag applied by Patchstack is slightly misleading: the CVSS PR:L metric confirms authentication IS required; what is bypassed is authorization, not authentication.

RemediationAI

Update the RepairBuddy plugin to the next release issued by Webful Creations beyond version 4.1132; no specific patched version number has been confirmed in the available data, so monitor the Patchstack advisory and the WordPress plugin repository for a confirmed fixed release. As an immediate compensating control, disable open user registration on the WordPress site (Settings → General → uncheck 'Anyone can register') to eliminate the subscriber-level foothold required for exploitation - note this will prevent new user self-registration site-wide. If subscriber accounts are operationally unnecessary for RepairBuddy workflows, audit and remove existing subscriber accounts. As a last resort, deactivate the RepairBuddy plugin until a patched version is confirmed, accepting the trade-off of losing all repair shop management functionality during that window.

Share

CVE-2026-39584 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy