CVE-2025-32277

Vulnerability

Missing Authorization vulnerability in Ateeq Rafeeq RepairBuddy (computer-repair-shop) for WordPress allows exploiting incorrectly configured access control security levels. This issue affects RepairBuddy versions from n/a through ≤3.8213 [1]. The plugin is a repair shop CRM and booking system that manages devices, work orders, and payments, but fails to properly enforce access controls on certain endpoints or actions.

Exploitation

An attacker needs no special privileges beyond network access to the WordPress installation. By sending crafted requests to vulnerable endpoints, the attacker can exploit the missing authorization checks. The exact sequence depends on the specific unpatched functionality but generally involves accessing administrative or privileged actions without proper authentication or capability verification.

Impact

Successful exploitation allows an attacker to perform unauthorized actions, potentially leading to information disclosure, modification of data, or privilege escalation. The scope of compromise depends on which access controls are incorrectly configured, but the minimal CVSS score (4.3) indicates a moderate confidentiality or integrity impact without requiring high privileges.

Mitigation

Update RepairBuddy to version 3.8214 or higher, which contains a fix for this vulnerability [1]. If updating is not immediately possible, restrict network access to the plugin's administrative pages and review user roles to minimize exposure. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.