PatchSiren cyber security CVE debrief
CVE-2026-24638 Webful Creations CVE debrief
A Missing Authorization vulnerability in the RepairBuddy WordPress plugin by Webful Creations allows authenticated users with low privileges to exploit incorrectly configured access control security levels. The vulnerability affects RepairBuddy versions from n/a through 4.1121. The issue was published to the CVE List on 2026-05-26 and carries a CVSS 3.1 score of 4.3 (Medium severity), with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N indicating network attack vector, low attack complexity, low privileges required, no user interaction, and low integrity impact. The vulnerability is classified under CWE-862 (Missing Authorization). The NVD entry currently shows a status of 'Deferred'. No known exploitation in ransomware campaigns has been reported, and this CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Webful Creations
- Product
- RepairBuddy
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-26
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-26
- Advisory updated
- 2026-05-26
Who should care
WordPress site administrators using RepairBuddy plugin; security teams managing WordPress installations; developers responsible for access control implementation in WordPress plugins
Technical summary
The RepairBuddy WordPress plugin contains a Missing Authorization vulnerability (CWE-862) that permits exploitation of incorrectly configured access control security levels. Affected versions span from initial release through 4.1121. The vulnerability requires low-privileged authenticated access (PR:L) with no user interaction needed, allowing network-based attacks with low complexity. The integrity impact is rated low with no confidentiality or availability impact. The CVSS 3.1 base score of 4.3 reflects limited scope for unauthorized actions.
Defensive priority
medium
Recommended defensive actions
- Review and restrict user role permissions for RepairBuddy plugin functionality, ensuring least-privilege access controls are enforced
- Upgrade RepairBuddy plugin to a version newer than 4.1121 when available, following vendor security advisories
- Audit WordPress user accounts with access to RepairBuddy features and remove unnecessary privileges
- Monitor WordPress security logs for unauthorized access attempts to RepairBuddy administrative functions
- Consider implementing additional WordPress security hardening measures such as Web Application Firewall rules for access control endpoints
Evidence notes
Vulnerability identified by Patchstack and reported to CVE with CVSS 3.1 scoring. NVD status is 'Deferred' as of modified date 2026-05-26T19:31:20.323Z. Vendor attribution to Webful Creations is based on reference domain analysis with low confidence and requires review.
Official resources
-
CVE-2026-24638 CVE record
CVE.org
-
CVE-2026-24638 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
2026-05-26