Skip to main content

KiviCare CVE-2026-11990

| EUVDEUVD-2026-42864 MEDIUM
Missing Authorization (CWE-862)
2026-07-10 security@wordfence.com GHSA-9wwr-q273-mfwg
5.3
CVSS 3.1 · Vendor: wordfence
Share

Severity by source

Vendor (wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-exploitable REST API, no authentication or interaction required on default installs; integrity impact limited to appointment and payment records within plugin scope, no confidentiality or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (wordfence).

CVSS VectorVendor: wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 10, 2026 - 10:31 vuln.today
CVE Published
Jul 10, 2026 - 10:16 nvd
MEDIUM 5.3

DescriptionCVE.org

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to mark arbitrary pending appointments as Confirmed and forge an associated completed payment record in wp_kc_payments_appointment_mappings using an attacker-supplied payment ID, bypassing payment entirely. This exploit is achievable on a default installation because the gateway resolution logic returns all registered gateways regardless of admin-enabled status, making the manual (KCPayLater) gateway always selectable.

AnalysisAI

Authorization bypass in the KiviCare WordPress EHR plugin (all versions through 4.4.0) allows unauthenticated network attackers to confirm arbitrary pending clinic appointments and inject forged payment records into the wp_kc_payments_appointment_mappings table using attacker-supplied payment IDs, completely circumventing the payment collection process. The root defect is a two-part failure: the appointments API controller does not verify user authorization before processing status changes, and the KCPaymentGatewayFactory returns all registered gateways regardless of admin-enabled status - meaning the KCPayLater manual-payment gateway is always selectable, even by unauthenticated callers on default installations. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running KiviCare ≤4.4.0
Delivery
Enumerate pending appointment ID via unauthenticated API call
Exploit
Craft POST request to appointment confirm endpoint selecting KCPayLater gateway
Execution
Supply attacker-controlled payment ID in request body
Persist
Server records forged payment in wp_kc_payments_appointment_mappings
Impact
Appointment status set to Confirmed, payment obligation bypassed

Vulnerability AssessmentAI

Exploitation Exploitable against any default KiviCare WordPress installation running version 4.4.0 or earlier - no non-default configuration is required. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.3 Medium score with AV:N/AC:L/PR:N/UI:N accurately captures the technical exploitability - network-accessible, unauthenticated, no interaction, low complexity - but the I:L (low integrity) designation understates the business logic consequence: forging confirmed appointments and payment records is a direct financial fraud vector for clinic operators who may render services without collecting payment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker probes a clinic's WordPress site for the KiviCare plugin, identifies pending appointment IDs through the REST API, and sends a crafted POST request to the appointment confirmation endpoint selecting the KCPayLater gateway and supplying a fabricated payment ID - the server accepts this without any credential check, marks the appointment as Confirmed, and writes a completed payment record to the database, allowing the attacker (or a colluding patient) to obtain clinic services without payment. No public POC has been identified at time of analysis, but the straightforward nature of the bypass - default installation, no authentication, network-accessible REST endpoint - means the attack requires no specialized tooling.
Remediation Update the KiviCare plugin to the version released after 4.4.0 - SVN changeset 3599918 is the referenced fix commit, but the exact tagged release version has not been independently confirmed from available data; verify the current patched version via the WordPress.org plugin page or the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/efe4223a-5c1a-401e-a46b-0278e96d2d71. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-11990 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy