CVE-2026-39584

Vulnerability

A broken access control vulnerability exists in the RepairBuddy plugin for WordPress (plugin slug computer-repair-shop), affecting all versions up to and including 4.1132. The issue stems from missing authorization or authentication checks in a function, enabling subscribers to perform actions that should require higher privileges [1].

Exploitation

An authenticated attacker with subscriber-level access can exploit this vulnerability by sending crafted requests to the affected plugin endpoint. No specific network position or additional user interaction is required beyond standard WordPress authentication. The vulnerability is expected to be used in mass-exploit campaigns targeting thousands of websites [1].

Impact

Successful exploitation allows an unprivileged subscriber to execute a certain higher privileged action, leading to unauthorized modifications or data exposure. The CVSS v3 base score is 6.5 (Medium), indicating a moderate severity with potential for unauthorized access control bypass [1].

Mitigation

The vulnerability is fixed in version 4.1133 of the plugin. Users should update to this version or later immediately. As a workaround, Patchstack provides a mitigation rule to block attacks until the update is applied. For sites unable to update immediately, contacting the hosting provider or web developer is recommended [1].