Skip to main content

Kivicare CVE-2026-25383

| EUVDEUVD-2026-15703 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-qwjr-hq3m-j5xf
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15703
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Reflected XSS.This issue affects KiviCare: from n/a through <= 3.6.16.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in Iqonic Design's KiviCare clinic management system through version 3.6.16, allowing attackers to inject malicious scripts into web pages viewed by users. An attacker can craft a malicious URL containing JavaScript payload and trick users into clicking it, enabling session hijacking, credential theft, or unauthorized actions within the clinic management system. No CVSS score, EPSS probability, or KEV status are available, though the vulnerability was publicly disclosed by Patchstack and is categorized under CWE-79 (Improper Neutralization of Input During Web Page Generation).

Technical ContextAI

The vulnerability is a Reflected XSS flaw classified under CWE-79, which occurs when user-supplied input is improperly sanitized before being rendered in HTML responses. KiviCare, identified via CPE cpe:2.3:a:iqonic_design:kivicare:*:*:*:*:*:*:*:*, is a WordPress-based clinic management plugin that fails to adequately neutralize malicious input parameters during web page generation. This allows attackers to bypass input validation and output encoding mechanisms, enabling arbitrary JavaScript execution in the victim's browser within the context of the vulnerable application's origin.

RemediationAI

Immediately upgrade KiviCare to a version newer than 3.6.16 once available from Iqonic Design, or contact the vendor at https://patchstack.com/ for patch availability and timeline information. Until an official patch is released, implement defense-in-depth controls: enforce strict Content Security Policy (CSP) headers to prevent inline script execution, enable HTTP-only and Secure flags on session cookies, and deploy a Web Application Firewall (WAF) with rules to detect and block XSS payloads in query parameters and form inputs. Additionally, restrict administrative access to KiviCare installations to trusted IP ranges and educate users not to click on untrusted links referencing the clinic management system.

CVE-2022-0786 CRITICAL POC
9.8 Jun 13

The KiviCare WordPress plugin before 2.3.9 does not sanitise and escape some parameters before using them in SQL stateme

CVE-2023-2628 HIGH POC
8.8 Jun 27

The KiviCare WordPress plugin before 3.2.1 does not have CSRF checks (either flawed or missing completely) in various AJ

CVE-2024-11728 HIGH POC
7.5 Dec 06

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'vis

CVE-2023-2623 MEDIUM POC
6.5 Jun 27

The KiviCare WordPress plugin before 3.2.1 does not restrict the information returned in a response and returns all user

CVE-2023-2624 MEDIUM POC
6.1 Jun 27

The KiviCare WordPress plugin before 3.2.1 does not sanitise and escape a parameter before outputting it back in the pag

CVE-2023-2627 MEDIUM POC
4.3 Jun 27

The KiviCare WordPress plugin before 3.2.1 does not have proper CSRF and authorisation checks in various AJAX actions, a

CVE-2025-1572 MEDIUM
6.5 Feb 28

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_i

CVE-2026-25034 MEDIUM
6.5 Mar 25

Iqonic Design KiviCare clinic management system versions 3.6.16 and earlier contain an authorization bypass vulnerabilit

CVE-2024-11730 MEDIUM
6.5 Dec 06

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'sor

CVE-2024-11729 MEDIUM
6.5 Dec 06

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'ser

CVE-2026-40792 MEDIUM
6.3 Jun 15

Insecure Direct Object References (IDOR) in the KiviCare WordPress clinic management plugin through version 4.2.1 allows

Share

CVE-2026-25383 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy