CVE-2026-25034

KiviCare – Clinic & Patient Management System (EHR) <= 3.6.16 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
4.0.0
Patched in
11d
Time to patch

Description

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.6.16. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.6.16
PublishedMarch 23, 2026
Last updatedApril 2, 2026

What Changed in the Fix

Changes introduced in v4.0.0

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-25034 (KiviCare Missing Authorization) ## 1. Vulnerability Summary The **KiviCare – Clinic & Patient Management System (EHR)** plugin (<= 3.6.16) contains a "Missing Authorization" vulnerability. This occurs because specific administrative or state-changing fu…

Show full research plan

Exploitation Research Plan: CVE-2026-25034 (KiviCare Missing Authorization)

1. Vulnerability Summary

The KiviCare – Clinic & Patient Management System (EHR) plugin (<= 3.6.16) contains a "Missing Authorization" vulnerability. This occurs because specific administrative or state-changing functions registered via WordPress AJAX (wp_ajax_ and wp_ajax_nopriv_) or the REST API lack proper capability checks (current_user_can()) or permission callbacks. Consequently, unauthenticated attackers can perform unauthorized actions, such as modifying appointment statuses, changing clinic settings, or manipulating user records.

2. Attack Vector Analysis

  • Target Endpoint: /wp-admin/admin-ajax.php
  • Vulnerable Action: kivicare_update_appointment_status (or potentially kivicare_discard_appointment or kivicare_save_appointment_widget_setting).
  • HTTP Method: POST
  • Authentication: None (Unauthenticated).
  • Parameters:
    • action: kivicare_update_appointment_status
    • appointment_id: The ID of the appointment to modify.
    • status: The new status (e.g., cancelled, confirmed, checkout).
    • _wpnonce or kc_nonce: A valid nonce (if enforced, though often bypassed or publicly exposed).

3.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.