Skip to main content

Kivicare CVE-2026-25034

| EUVDEUVD-2026-15634 MEDIUM
Missing Authorization (CWE-862)
2026-03-25 Patchstack GHSA-4wrc-rc9c-6pg4
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15634
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
MEDIUM 6.5

DescriptionCVE.org

Missing Authorization vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KiviCare: from n/a through <= 3.6.16.

AnalysisAI

Iqonic Design KiviCare clinic management system versions 3.6.16 and earlier contain an authorization bypass vulnerability that allows unauthenticated remote attackers to modify data and disrupt service availability through improperly configured access controls. The vulnerability has no available patch and affects the system's ability to properly enforce permission levels across its features.

Technical ContextAI

KiviCare is a WordPress plugin-based clinic management system produced by Iqonic Design, as identified through CPE cpe:2.3:a:iqonic_design:kivicare:*:*:*:*:*:*:*:*. The vulnerability stems from improper implementation of role-based access control (RBAC) mechanisms, falling under CWE-862 (Missing Authorization). Rather than enforcing authentication checks before granting access to sensitive operations, the application either fails to validate user permissions or implements insufficient privilege escalation protections. In WordPress plugin contexts, this typically manifests as missing nonce verification, inadequate capability checks, or direct object references that allow authenticated (or sometimes unauthenticated) users to perform actions they should not be permitted to execute, such as accessing patient records, modifying clinic settings, or executing administrative functions.

RemediationAI

Organizations using KiviCare should upgrade immediately to a version newer than 3.6.16 as soon as a patched release becomes available from Iqonic Design. Contact Iqonic Design or monitor their official security announcements and the Patchstack vulnerability database for availability of a security patch. Until a patched version is deployed, implement compensating controls by restricting access to the WordPress administration panel and plugin functionality to trusted IP addresses, enforcing strong authentication (including multi-factor authentication for administrator accounts), and ensuring regular access log reviews to detect unauthorized privilege escalation attempts. Additionally, audit user role assignments within KiviCare to verify that users have only the minimum necessary permissions for their function, and review clinic management system logs for evidence of unauthorized access to sensitive data or administrative functions.

CVE-2022-0786 CRITICAL POC
9.8 Jun 13

The KiviCare WordPress plugin before 2.3.9 does not sanitise and escape some parameters before using them in SQL stateme

CVE-2023-2628 HIGH POC
8.8 Jun 27

The KiviCare WordPress plugin before 3.2.1 does not have CSRF checks (either flawed or missing completely) in various AJ

CVE-2024-11728 HIGH POC
7.5 Dec 06

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'vis

CVE-2023-2623 MEDIUM POC
6.5 Jun 27

The KiviCare WordPress plugin before 3.2.1 does not restrict the information returned in a response and returns all user

CVE-2023-2624 MEDIUM POC
6.1 Jun 27

The KiviCare WordPress plugin before 3.2.1 does not sanitise and escape a parameter before outputting it back in the pag

CVE-2023-2627 MEDIUM POC
4.3 Jun 27

The KiviCare WordPress plugin before 3.2.1 does not have proper CSRF and authorisation checks in various AJAX actions, a

CVE-2026-25383 HIGH
7.1 Mar 25

A Reflected Cross-Site Scripting (XSS) vulnerability exists in Iqonic Design's KiviCare clinic management system through

CVE-2025-1572 MEDIUM
6.5 Feb 28

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_i

CVE-2024-11730 MEDIUM
6.5 Dec 06

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'sor

CVE-2024-11729 MEDIUM
6.5 Dec 06

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'ser

CVE-2026-40792 MEDIUM
6.3 Jun 15

Insecure Direct Object References (IDOR) in the KiviCare WordPress clinic management plugin through version 4.2.1 allows

Share

CVE-2026-25034 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy