Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Subscriber authentication (PR:L) required; network-reachable with no special configuration; all three impact dimensions are limited and scope is unchanged.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Subscriber Insecure Direct Object References (IDOR) in KiviCare <= 4.2.1 versions.
AnalysisAI
Insecure Direct Object References (IDOR) in the KiviCare WordPress clinic management plugin through version 4.2.1 allows any authenticated subscriber to bypass object-level authorization and access or modify records belonging to other users. Because WordPress subscriber is the default role for self-registered users, this effectively exposes sensitive healthcare data - including patient records, appointments, and prescriptions - to any registered site user who can enumerate or guess object identifiers. No public exploit has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.
Technical ContextAI
KiviCare (CPE: cpe:2.3:a:iqonic_design:kivicare:*:*:*:*:*:*:*:*) is a WordPress plugin by Iqonic Design designed for clinic and healthcare management, handling sensitive personal health information such as patient records, appointment scheduling, and prescriptions. The root cause maps to CWE-639 (Authorization Through User-Controlled Key): the plugin uses user-supplied object identifiers - such as record or appointment IDs passed as request parameters - to look up and act on data objects without verifying that the requesting user is the authorized owner or has been explicitly granted access. This is a classic IDOR pattern; sequential or guessable integer IDs allow a low-privileged subscriber to enumerate records across the entire patient base. The WordPress subscriber role grants no administrative capabilities and is typically assigned automatically to any self-registered user, meaning the privilege barrier to exploitation is minimal on sites with open registration enabled.
RemediationAI
No specific patched version has been confirmed from the available data - the Patchstack advisory and NVD entry identify 4.2.1 as the upper bound of affected versions but do not explicitly name a fixed release. Administrators should monitor the WordPress plugin repository and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/kivicare-clinic-management-system/vulnerability/wordpress-kivicare-plugin-4-2-1-insecure-direct-object-references-idor-vulnerability for a patched release and apply it immediately when available. As compensating controls prior to patching: disable open user registration on the WordPress site to prevent untrusted individuals from obtaining subscriber accounts (Settings > General > uncheck 'Anyone can register'), accepting the trade-off that patient self-registration workflows will be disrupted. Alternatively, deploy a WAF rule to block or authenticate access to the KiviCare API endpoints at the network perimeter, restricting them to known IP ranges if the clinic operates from fixed locations. These controls reduce the exposed attack surface but do not eliminate the underlying authorization flaw.
The KiviCare WordPress plugin before 2.3.9 does not sanitise and escape some parameters before using them in SQL stateme
The KiviCare WordPress plugin before 3.2.1 does not have CSRF checks (either flawed or missing completely) in various AJ
The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'vis
The KiviCare WordPress plugin before 3.2.1 does not restrict the information returned in a response and returns all user
The KiviCare WordPress plugin before 3.2.1 does not sanitise and escape a parameter before outputting it back in the pag
The KiviCare WordPress plugin before 3.2.1 does not have proper CSRF and authorisation checks in various AJAX actions, a
A Reflected Cross-Site Scripting (XSS) vulnerability exists in Iqonic Design's KiviCare clinic management system through
The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_i
Iqonic Design KiviCare clinic management system versions 3.6.16 and earlier contain an authorization bypass vulnerabilit
The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'sor
The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'ser
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36995
GHSA-22ch-h6m8-g2vp