Skip to main content

KiviCare EUVDEUVD-2026-36995

| CVE-2026-40792 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-15 Patchstack GHSA-22ch-h6m8-g2vp
6.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
6.3 MEDIUM

Subscriber authentication (PR:L) required; network-reachable with no special configuration; all three impact dimensions are limited and scope is unchanged.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 23:07 vuln.today

DescriptionCVE.org

Subscriber Insecure Direct Object References (IDOR) in KiviCare <= 4.2.1 versions.

AnalysisAI

Insecure Direct Object References (IDOR) in the KiviCare WordPress clinic management plugin through version 4.2.1 allows any authenticated subscriber to bypass object-level authorization and access or modify records belonging to other users. Because WordPress subscriber is the default role for self-registered users, this effectively exposes sensitive healthcare data - including patient records, appointments, and prescriptions - to any registered site user who can enumerate or guess object identifiers. No public exploit has been identified at time of analysis, and this vulnerability has not been listed in the CISA KEV catalog.

Technical ContextAI

KiviCare (CPE: cpe:2.3:a:iqonic_design:kivicare:*:*:*:*:*:*:*:*) is a WordPress plugin by Iqonic Design designed for clinic and healthcare management, handling sensitive personal health information such as patient records, appointment scheduling, and prescriptions. The root cause maps to CWE-639 (Authorization Through User-Controlled Key): the plugin uses user-supplied object identifiers - such as record or appointment IDs passed as request parameters - to look up and act on data objects without verifying that the requesting user is the authorized owner or has been explicitly granted access. This is a classic IDOR pattern; sequential or guessable integer IDs allow a low-privileged subscriber to enumerate records across the entire patient base. The WordPress subscriber role grants no administrative capabilities and is typically assigned automatically to any self-registered user, meaning the privilege barrier to exploitation is minimal on sites with open registration enabled.

RemediationAI

No specific patched version has been confirmed from the available data - the Patchstack advisory and NVD entry identify 4.2.1 as the upper bound of affected versions but do not explicitly name a fixed release. Administrators should monitor the WordPress plugin repository and the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/kivicare-clinic-management-system/vulnerability/wordpress-kivicare-plugin-4-2-1-insecure-direct-object-references-idor-vulnerability for a patched release and apply it immediately when available. As compensating controls prior to patching: disable open user registration on the WordPress site to prevent untrusted individuals from obtaining subscriber accounts (Settings > General > uncheck 'Anyone can register'), accepting the trade-off that patient self-registration workflows will be disrupted. Alternatively, deploy a WAF rule to block or authenticate access to the KiviCare API endpoints at the network perimeter, restricting them to known IP ranges if the clinic operates from fixed locations. These controls reduce the exposed attack surface but do not eliminate the underlying authorization flaw.

CVE-2022-0786 CRITICAL POC
9.8 Jun 13

The KiviCare WordPress plugin before 2.3.9 does not sanitise and escape some parameters before using them in SQL stateme

CVE-2023-2628 HIGH POC
8.8 Jun 27

The KiviCare WordPress plugin before 3.2.1 does not have CSRF checks (either flawed or missing completely) in various AJ

CVE-2024-11728 HIGH POC
7.5 Dec 06

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'vis

CVE-2023-2623 MEDIUM POC
6.5 Jun 27

The KiviCare WordPress plugin before 3.2.1 does not restrict the information returned in a response and returns all user

CVE-2023-2624 MEDIUM POC
6.1 Jun 27

The KiviCare WordPress plugin before 3.2.1 does not sanitise and escape a parameter before outputting it back in the pag

CVE-2023-2627 MEDIUM POC
4.3 Jun 27

The KiviCare WordPress plugin before 3.2.1 does not have proper CSRF and authorisation checks in various AJAX actions, a

CVE-2026-25383 HIGH
7.1 Mar 25

A Reflected Cross-Site Scripting (XSS) vulnerability exists in Iqonic Design's KiviCare clinic management system through

CVE-2025-1572 MEDIUM
6.5 Feb 28

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_i

CVE-2026-25034 MEDIUM
6.5 Mar 25

Iqonic Design KiviCare clinic management system versions 3.6.16 and earlier contain an authorization bypass vulnerabilit

CVE-2024-11730 MEDIUM
6.5 Dec 06

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'sor

CVE-2024-11729 MEDIUM
6.5 Dec 06

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'ser

Share

EUVD-2026-36995 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy