Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
Authentication Bypass Using an Alternate Path or Channel vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Password Recovery Exploitation.This issue affects KiviCare: from n/a through <= 4.3.0.
AnalysisAI
Authentication bypass in the KiviCare Clinic & Patient Management WordPress plugin (versions through 4.3.0) lets remote unauthenticated attackers abuse the password-recovery flow as an alternate channel to take over user accounts. Because the recovery process can be exploited to gain access without valid credentials, an attacker can compromise clinic accounts and read sensitive data. No public exploit identified at time of analysis, and the EPSS score is very low (0.04%, 13th percentile), indicating no observed mass-exploitation pressure yet.
Technical ContextAI
KiviCare is a clinic and patient management plugin for WordPress, so the vulnerable component runs server-side within a WordPress installation and is reachable over HTTP. The root cause is CWE-288, Authentication Bypass Using an Alternate Path or Channel: the password-recovery feature provides a code path that grants authenticated access without enforcing the normal credential check, effectively letting an attacker reset or assume access to an account through the recovery channel rather than the front-door login. No CPE strings were supplied in the input; affected scope is identified by the plugin slug kivicare-clinic-management-system as published in the Patchstack/ENISA EUVD entry (EUVD-2026-32187).
RemediationAI
No vendor-released patched version is identified in the available data; the affected range 'through ≤ 4.3.0' implies a fix exists in a release above 4.3.0, but the exact fixed version is not confirmed in the input - verify the current fixed version on the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/kivicare-clinic-management-system/vulnerability/wordpress-kivicare-plugin-4-3-0-broken-authentication-vulnerability?_s_id=cve) and the WordPress.org plugin page, then upgrade to the latest available KiviCare release. Until a confirmed fixed version is applied, compensating controls include restricting access to the plugin's password-recovery and account endpoints (for example via WAF rules or web-server access rules that limit who can reach the recovery functionality), placing the WordPress admin and clinic portal behind IP allowlisting or an authentication proxy, and monitoring for anomalous password-reset/recovery requests; the trade-off is that endpoint restrictions can break legitimate self-service password recovery for patients and staff. If the plugin is non-essential, temporarily deactivating it removes exposure at the cost of clinic-management functionality.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32187
GHSA-ww95-xww8-jvm2