Skip to main content

RepairBuddy EUVDEUVD-2026-31805

| CVE-2026-24638 MEDIUM
Missing Authorization (CWE-862)
2026-05-26 Patchstack GHSA-4q36-23hm-63mg
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 11:36 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in Webful Creations RepairBuddy allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects RepairBuddy: from n/a through 4.1121.

AnalysisAI

Broken access control in the RepairBuddy WordPress plugin (versions through 4.1121) allows authenticated low-privileged users to perform unauthorized actions affecting data integrity. The flaw stems from missing server-side authorization checks (CWE-862), permitting requests to access or modify functionality beyond the caller's intended permission level. No public exploit identified at time of analysis, EPSS sits at the 8th percentile (0.03%), and SSVC marks exploitation as none - placing real-world risk well below what the medium CVSS score of 4.3 might initially suggest.

Technical ContextAI

RepairBuddy is a WordPress plugin developed by Webful Creations, designed for computer repair shop management workflows (CPE: cpe:2.3:a:webful_creations:repairbuddy:*:*:*:*:*:*:*:*). CWE-862 (Missing Authorization) indicates that the plugin exposes one or more WordPress AJAX handlers, REST endpoints, or admin actions without verifying whether the calling user holds the capability required to execute them. In the WordPress security model, plugins are responsible for implementing their own capability checks (e.g., current_user_can()) on sensitive actions; failure to do so allows any subscriber-level or higher account to trigger privileged functionality. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms the flaw is reachable over the network with minimal complexity, but the Scope remains Unchanged and Confidentiality impact is None, meaning the misconfigured access control gate does not expose sensitive data reads - only unauthorized writes or state changes.

RemediationAI

No vendor-released patched version is independently confirmed from available data; the affected range is listed as 'through 4.1121' without a confirmed fixed release version. Site administrators running RepairBuddy should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/computer-repair-shop/vulnerability/wordpress-repairbuddy-plugin-4-1121-broken-access-control-vulnerability) and monitor the WordPress plugin repository for an updated release. As a compensating control pending a patch, administrators should restrict plugin-related sensitive actions to trusted, higher-privileged roles only and audit user accounts with subscriber or contributor roles that may have unintended access. Disabling the plugin entirely on sites with untrusted authenticated user bases is a higher-assurance interim measure, with the trade-off of losing repair shop management functionality. The NVD entry is available at https://nvd.nist.gov/vuln/detail/CVE-2026-24638 for ongoing monitoring.

Share

EUVD-2026-31805 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy