What is the CVSS score of CVE-2026-42735?

CVE-2026-42735 has a CVSS 3.1 base score of 8.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of KiviCare are affected by CVE-2026-42735?

The KiviCare Clinic & Patient Management WordPress plugin (versions ≤4.3.0) contains an authentication bypass vulnerability in its password-recovery mechanism that allows unauthenticated attackers to…

KiviCare CVE-2026-42735

Q: How to fix or mitigate CVE-2026-42735?

Within 24 hours: Conduct an inventory of all WordPress instances running KiviCare versions 4.3.0 or earlier; identify which accounts have administrative or patient-access privileges. Within 7 days: Implement interim controls-disable the password-recovery feature if operationally feasible, or deploy WAF rules to rate-limit password-recovery endpoints; enforce multi-factor authentication on all staff accounts. Within 30 days: Monitor KiviCare vendor advisories for patch release; if no patch is released within 30 days, execute migration plan to alternative clinic management software or implement strict access controls + continuous monitoring.

EUVD-2026-32187 HIGH

Authentication Bypass Using an Alternate Path or Channel (CWE-288)

2026-05-27 audit@patchstack.com

GHSA-ww95-xww8-jvm2

Authentication Bypass

8.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

May 27, 2026 - 20:50 vuln.today

DescriptionNVD

Authentication Bypass Using an Alternate Path or Channel vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Password Recovery Exploitation.This issue affects KiviCare: from n/a through <= 4.3.0.

AnalysisAI

Authentication bypass in the KiviCare Clinic & Patient Management WordPress plugin (versions through 4.3.0) lets remote unauthenticated attackers abuse the password-recovery flow as an alternate channel to take over user accounts. Because the recovery process can be exploited to gain access without valid credentials, an attacker can compromise clinic accounts and read sensitive data. …

RemediationAI

Within 24 hours: Conduct an inventory of all WordPress instances running KiviCare versions 4.3.0 or earlier; identify which accounts have administrative or patient-access privileges. Within 7 days: Implement interim controls-disable the password-recovery feature if operationally feasible, or deploy WAF rules to rate-limit password-recovery endpoints; enforce multi-factor authentication on all staff accounts. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-42735 vulnerability details – vuln.today

Back

KiviCare CVE-2026-42735

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code