Skip to main content

Repairbuddy CVE-2026-39586

| EUVDEUVD-2026-20228 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-04-08 Patchstack
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Apr 15, 2026 - 12:41 vuln.today
CVSS changed
Apr 13, 2026 - 16:22 NVD
5.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20228
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Insertion of Sensitive Information Into Sent Data vulnerability in Ateeq Rafeeq RepairBuddy computer-repair-shop allows Retrieve Embedded Sensitive Data.This issue affects RepairBuddy: from n/a through <= 4.1132.

AnalysisAI

RepairBuddy plugin for WordPress versions through 4.1132 exposes sensitive data in network transmissions due to improper handling of embedded information, allowing remote unauthenticated attackers to retrieve confidential details via passive observation of sent data. The vulnerability has a moderate CVSS score of 5.3 with low exploitability probability (0.02% EPSS), indicating real-world risk is minimal despite the information disclosure impact.

Technical ContextAI

RepairBuddy is a WordPress plugin for managing computer repair shop operations. The vulnerability stems from CWE-201 (Insertion of Sensitive Information Into Sent Data), a weakness class where applications inadvertently transmit sensitive data-such as API keys, credentials, or customer information-in cleartext or insufficiently protected channels. This typically occurs when developers embed sensitive variables directly in HTTP responses, logs, or client-side code without proper redaction or encryption. The affected CPE (cpe:2.3:a:ateeq_rafeeq:repairbuddy:*:*:*:*:*:*:*:*) encompasses all RepairBuddy installations. The network-accessible attack vector (AV:N) combined with low complexity (AC:L) and no authentication requirement (PR:N) indicates the plugin exposes data through normal web traffic that any network observer can potentially intercept or analyze.

RemediationAI

Update RepairBuddy plugin to the latest patched version released by Ateeq Rafeeq; exact patch version was not confirmed in the provided data, so verify via the official WordPress plugin repository or Patchstack advisory page. Immediate workarounds include: (1) ensure WordPress site uses HTTPS for all transmissions to prevent network-level eavesdropping of exposed data, (2) review plugin logs and network traffic to identify what sensitive data (if any) is being transmitted unprotected, and (3) temporarily disable the plugin if sensitive customer data is at risk until a patch is confirmed available. Monitor the Patchstack reference (https://patchstack.com/database/Wordpress/Plugin/computer-repair-shop/vulnerability/wordpress-repairbuddy-plugin-4-1132-sensitive-data-exposure-vulnerability?_s_id=cve) for patch release notifications.

Share

CVE-2026-39586 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy