Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Missing Authorization vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KiviCare: from n/a through <= 3.6.16.
AnalysisAI
Iqonic Design KiviCare clinic management system versions 3.6.16 and earlier contain an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data and disrupt service availability through improperly configured access controls. The vulnerability has no available patch and affects the system's ability to properly enforce permission levels across its features.
Technical ContextAI
KiviCare is a WordPress plugin-based clinic management system produced by Iqonic Design, as identified through CPE cpe:2.3:a:iqonic_design:kivicare:*:*:*:*:*:*:*:*. The vulnerability stems from improper implementation of role-based access control (RBAC) mechanisms, falling under CWE-862 (Missing Authorization). Rather than enforcing authentication checks before granting access to sensitive operations, the application either fails to validate user permissions or implements insufficient privilege escalation protections. In WordPress plugin contexts, this typically manifests as missing nonce verification, inadequate capability checks, or direct object references that allow authenticated (or sometimes unauthenticated) users to perform actions they should not be permitted to execute, such as accessing patient records, modifying clinic settings, or executing administrative functions.
RemediationAI
Organizations using KiviCare should upgrade immediately to a version newer than 3.6.16 as soon as a patched release becomes available from Iqonic Design. Contact Iqonic Design or monitor their official security announcements and the Patchstack vulnerability database for availability of a security patch. Until a patched version is deployed, implement compensating controls by restricting access to the WordPress administration panel and plugin functionality to trusted IP addresses, enforcing strong authentication (including multi-factor authentication for administrator accounts), and ensuring regular access log reviews to detect unauthorized privilege escalation attempts. Additionally, audit user role assignments within KiviCare to verify that users have only the minimum necessary permissions for their function, and review clinic management system logs for evidence of unauthorized access to sensitive data or administrative functions.
The KiviCare WordPress plugin before 2.3.9 does not sanitise and escape some parameters before using them in SQL stateme
The KiviCare WordPress plugin before 3.2.1 does not have CSRF checks (either flawed or missing completely) in various AJ
The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'vis
The KiviCare WordPress plugin before 3.2.1 does not restrict the information returned in a response and returns all user
The KiviCare WordPress plugin before 3.2.1 does not sanitise and escape a parameter before outputting it back in the pag
The KiviCare WordPress plugin before 3.2.1 does not have proper CSRF and authorisation checks in various AJAX actions, a
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Iqonic Design's KiviCare clinic management system through
The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_i
The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'sor
The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'ser
Insecure Direct Object References (IDOR) in the KiviCare WordPress clinic management plugin through version 4.2.1 allows
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15634
GHSA-4wrc-rc9c-6pg4