Vulnerabilities and security researches forcomputer-repair-shop computer-repair-shop

Jun 07, 2024

CVE, Research URL: 5de96d64bb570d61b961a41ccba6f5e4efc71a47
Home page URL: Security reports for CRM WordPress Plugin – RepairBuddy
Application: CRM WordPress Plugin – RepairBuddy
Date: Jan 13, 2020
Research Description: CRM WordPress Plugin – RepairBuddy [computer-repair-shop] < 2.0 (closed) WordPress Computer Repair Shop plugin <= 1.0 - Cross-Site Scripting (XSS) vulnerability Cross-Site Scripting (XSS) vulnerability discovered by Jeroen Mulder in WordPress Computer Repair Shop plugin (versions <= 1.0).
Affected versions: max 2.0.
Status: vulnerable

Nov 12, 2024

CVE, Research URL: CVE-2024-51793
Home page URL: Security reports for CRM WordPress Plugin – RepairBuddy
Application: CRM WordPress Plugin – RepairBuddy
Date: Nov 11, 2024
Research Description: Unrestricted Upload of File with Dangerous Type vulnerability in Webful Creations Computer Repair Shop allows Upload a Web Shell to a Web Server.This issue affects Computer Repair Shop: from n/a through 3.8115.
Affected versions: max 3.8116.
Status: vulnerable

Dec 19, 2024

CVE, Research URL: CVE-2024-12259
Home page URL: Security reports for CRM WordPress Plugin – RepairBuddy
Application: CRM WordPress Plugin – RepairBuddy
Date: Dec 18, 2024
Research Description: The CRM WordPress Plugin – RepairBuddy plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.8120. This is due to the plugin not properly validating a user's identity prior to updating their email through the wc_update_user_data AJAX action. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Affected versions: max 3.8122.
Status: vulnerable

Jan 02, 2025

CVE, Research URL: CVE-2024-56061
Home page URL: Security reports for CRM WordPress Plugin – RepairBuddy
Application: CRM WordPress Plugin – RepairBuddy
Date: Dec 31, 2024
Research Description: Missing Authorization vulnerability in Webful Creations Computer Repair Shop allows Privilege Escalation.This issue affects Computer Repair Shop: from n/a through 3.8119.
Affected versions: max 3.8120.
Status: vulnerable

Apr 06, 2025

CVE, Research URL: CVE-2025-32277
Home page URL: Security reports for CRM WordPress Plugin – RepairBuddy
Application: CRM WordPress Plugin – RepairBuddy
Date: Apr 04, 2025
Research Description: Missing Authorization vulnerability in Ateeq Rafeeq RepairBuddy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects RepairBuddy: from n/a through 3.8211.
Affected versions: max 3.8211.
Status: vulnerable

Apr 13, 2026

CVE, Research URL: CVE-2026-39586
Home page URL: Security reports for CRM WordPress Plugin – RepairBuddy
Application: CRM WordPress Plugin – RepairBuddy
Date: Apr 08, 2026
Research Description: Insertion of Sensitive Information Into Sent Data vulnerability in Ateeq Rafeeq RepairBuddy computer-repair-shop allows Retrieve Embedded Sensitive Data.This issue affects RepairBuddy: from n/a through <= 4.1132.
Affected versions: max 4.1133.
Status: vulnerable

CVE, Research URL: CVE-2026-3567
Home page URL: Security reports for CRM WordPress Plugin – RepairBuddy
Application: CRM WordPress Plugin – RepairBuddy
Date: Mar 21, 2026
Research Description: The RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 4.1132. The plugin exposes two AJAX handlers that, when combined, allow any authenticated user to modify admin-level plugin settings. First, the wc_rb_get_fresh_nonce() function (registered via wp_ajax and wp_ajax_nopriv hooks) allows any user to generate a valid WordPress nonce for any arbitrary action name by simply providing the nonce_name parameter, with no capability checks. Second, the wc_rep_shop_settings_submission() function only verifies the nonce (wcrb_main_setting_nonce) but performs no current_user_can() capability check before updating 15+ plugin options via update_option(). This makes it possible for authenticated attackers, with subscriber-level access and above, to modify all plugin configuration settings including business name, email, logo, menu label, GDPR settings, and more by first minting a valid nonce via the wc_rb_get_fresh_nonce endpoint and then calling the settings submission handler.
Affected versions: max 4.1133.
Status: vulnerable

May 02, 2026

CVE, Research URL: CVE-2026-39584
Home page URL: Security reports for CRM WordPress Plugin – RepairBuddy
Application: CRM WordPress Plugin – RepairBuddy
Date: -
Research Description: RepairBuddy – Repair Shop CRM & Booking Plugin for WordPress [computer-repair-shop] < 4.1133 CVE-2026-39584
Affected versions: max 4.1133.
Status: vulnerable

May 28, 2026

CVE, Research URL: CVE-2026-24638
Home page URL: Security reports for CRM WordPress Plugin – RepairBuddy
Application: CRM WordPress Plugin – RepairBuddy
Date: May 26, 2026
Research Description: Missing Authorization vulnerability in Webful Creations RepairBuddy allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects RepairBuddy: from n/a through 4.1121.
Affected versions: max 4.1125.
Status: vulnerable