Skip to main content

KiviCare CVE-2026-42735

| EUVDEUVD-2026-32187 HIGH
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-27 audit@patchstack.com GHSA-ww95-xww8-jvm2
8.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:50 vuln.today

DescriptionCVE.org

Authentication Bypass Using an Alternate Path or Channel vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Password Recovery Exploitation.This issue affects KiviCare: from n/a through <= 4.3.0.

AnalysisAI

Authentication bypass in the KiviCare Clinic & Patient Management WordPress plugin (versions through 4.3.0) lets remote unauthenticated attackers abuse the password-recovery flow as an alternate channel to take over user accounts. Because the recovery process can be exploited to gain access without valid credentials, an attacker can compromise clinic accounts and read sensitive data. No public exploit identified at time of analysis, and the EPSS score is very low (0.04%, 13th percentile), indicating no observed mass-exploitation pressure yet.

Technical ContextAI

KiviCare is a clinic and patient management plugin for WordPress, so the vulnerable component runs server-side within a WordPress installation and is reachable over HTTP. The root cause is CWE-288, Authentication Bypass Using an Alternate Path or Channel: the password-recovery feature provides a code path that grants authenticated access without enforcing the normal credential check, effectively letting an attacker reset or assume access to an account through the recovery channel rather than the front-door login. No CPE strings were supplied in the input; affected scope is identified by the plugin slug kivicare-clinic-management-system as published in the Patchstack/ENISA EUVD entry (EUVD-2026-32187).

RemediationAI

No vendor-released patched version is identified in the available data; the affected range 'through ≤ 4.3.0' implies a fix exists in a release above 4.3.0, but the exact fixed version is not confirmed in the input - verify the current fixed version on the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/kivicare-clinic-management-system/vulnerability/wordpress-kivicare-plugin-4-3-0-broken-authentication-vulnerability?_s_id=cve) and the WordPress.org plugin page, then upgrade to the latest available KiviCare release. Until a confirmed fixed version is applied, compensating controls include restricting access to the plugin's password-recovery and account endpoints (for example via WAF rules or web-server access rules that limit who can reach the recovery functionality), placing the WordPress admin and clinic portal behind IP allowlisting or an authentication proxy, and monitoring for anomalous password-reset/recovery requests; the trade-off is that endpoint restrictions can break legitimate self-service password recovery for patients and staff. If the plugin is non-essential, temporarily deactivating it removes exposure at the cost of clinic-management functionality.

Share

CVE-2026-42735 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy