Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
Insertion of Sensitive Information Into Sent Data vulnerability in Ateeq Rafeeq RepairBuddy computer-repair-shop allows Retrieve Embedded Sensitive Data.This issue affects RepairBuddy: from n/a through <= 4.1132.
AnalysisAI
RepairBuddy plugin for WordPress versions through 4.1132 exposes sensitive data in network transmissions due to improper handling of embedded information, allowing remote unauthenticated attackers to retrieve confidential details via passive observation of sent data. The vulnerability has a moderate CVSS score of 5.3 with low exploitability probability (0.02% EPSS), indicating real-world risk is minimal despite the information disclosure impact.
Technical ContextAI
RepairBuddy is a WordPress plugin for managing computer repair shop operations. The vulnerability stems from CWE-201 (Insertion of Sensitive Information Into Sent Data), a weakness class where applications inadvertently transmit sensitive data-such as API keys, credentials, or customer information-in cleartext or insufficiently protected channels. This typically occurs when developers embed sensitive variables directly in HTTP responses, logs, or client-side code without proper redaction or encryption. The affected CPE (cpe:2.3:a:ateeq_rafeeq:repairbuddy:*:*:*:*:*:*:*:*) encompasses all RepairBuddy installations. The network-accessible attack vector (AV:N) combined with low complexity (AC:L) and no authentication requirement (PR:N) indicates the plugin exposes data through normal web traffic that any network observer can potentially intercept or analyze.
RemediationAI
Update RepairBuddy plugin to the latest patched version released by Ateeq Rafeeq; exact patch version was not confirmed in the provided data, so verify via the official WordPress plugin repository or Patchstack advisory page. Immediate workarounds include: (1) ensure WordPress site uses HTTPS for all transmissions to prevent network-level eavesdropping of exposed data, (2) review plugin logs and network traffic to identify what sensitive data (if any) is being transmitted unprotected, and (3) temporarily disable the plugin if sensitive customer data is at risk until a patch is confirmed available. Monitor the Patchstack reference (https://patchstack.com/database/Wordpress/Plugin/computer-repair-shop/vulnerability/wordpress-repairbuddy-plugin-4-1132-sensitive-data-exposure-vulnerability?_s_id=cve) for patch release notifications.
More in Repairbuddy
View allBroken access control in the RepairBuddy WordPress plugin (versions ≤ 4.1132) allows subscriber-level authenticated user
Broken access control in the RepairBuddy WordPress plugin (versions through 4.1121) allows authenticated low-privileged
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20228