cleantalk
Vulnerabilities and Security Researches

CRM WordPress Plugin – RepairBuddy, CVE-2024-12259

CVE, Research URL

CVE-2024-12259

Home page URL

Security reports for CRM WordPress Plugin – RepairBuddy

Application

CRM WordPress Plugin – RepairBuddy

Published on
Dec 18, 2024
Research Description
The CRM WordPress Plugin – RepairBuddy plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.8120. This is due to the plugin not properly validating a user's identity prior to updating their email through the wc_update_user_data AJAX action. This makes it possible for authenticated attackers, with subscriber-level access and above, to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.
Affected versions
Min -, max 3.8122.
Status
vulnerable
Previous vulnerability researches
CRM WordPress Plugin – RepairBuddy (CVE-2024-51793) , Nov 12, 2024
CRM WordPress Plugin – RepairBuddy (CVE-2024-12259) , Dec 19, 2024
CRM WordPress Plugin – RepairBuddy (5de96d64bb570d61b961a41ccba6f5e4efc71a47) , Jun 07, 2024
CRM WordPress Plugin – RepairBuddy (CVE-2024-56061) , Jan 02, 2025
CRM WordPress Plugin – RepairBuddy (CVE-2025-32277) , Apr 06, 2025
New vulnerability
Integration for WooCommerce and QuickBooks (CVE-2025-39600) , Apr 18, 2025
GB Gallery Slideshow (CVE-2025-32649) , Apr 18, 2025
Question Answer (CVE-2025-32646) , Apr 18, 2025
PropertyHive (CVE-2025-39577) , Apr 18, 2025
WP-BusinessDirectory – Business directory plugin for WordPress (CVE-2025-32630) , Apr 18, 2025