vulnerability

WordPress Plugin: computer-repair-shop: CVE-2026-0820: Missing Authorization

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:N/AC:L/Au:N/C:N/I:P/A:N)	Jan 16, 2026	Jan 19, 2026	Jan 19, 2026

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:P/A:N)

Published

Jan 16, 2026

Added

Jan 19, 2026

Modified

Jan 19, 2026

Description

The RepairBuddy – Repair Shop CRM and Booking Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference due to missing capability checks on the wc_upload_and_save_signature_handler function in all versions up to, and including, 4.1116. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary signatures to any order in the system, potentially modifying order metadata and triggering unauthorized status changes.

Solution

computer-repair-shop-plugin-cve-2026-0820

References

URL-https://www.cve.org/CVERecord?id=CVE-2026-0820
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/1b2ad299-03b1-4b9e-a241-d2ad2d85c3ac?source=api-prod
CVE-2026-0820
https://attackerkb.com/topics/CVE-2026-0820
CWE-862

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today