CVE-2023-2628

2023-06-2714:15:11

WPScan

web.nvd.nist.gov

cve-2023-2628

kivicare

wordpress

plugin

csrf

security vulnerability

ajax

nvd

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

8.7

Confidence

High

EPSS

0.002

Percentile

52.4%

JSON

The KiviCare WordPress plugin before 3.2.1 does not have CSRF checks (either flawed or missing completely) in various AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. This includes, but is not limited to: Delete arbitrary appointments/medical records/etc, create/update various users (patients, doctors etc)

Affected configurations

Nvd

Vulners

Node

iqonickivicareRange<3.2.1wordpress

VendorProductVersionCPE
iqonickivicare*cpe:2.3:a:iqonic:kivicare:*:*:*:*:*:wordpress:*:*

Vendor	Product	Version	CPE
iqonic	kivicare	*	cpe:2.3:a:iqonic:kivicare::::::wordpress::*

CNA Affected

[
  {
    "vendor": "Unknown",
    "product": "KiviCare",
    "versions": [
      {
        "status": "affected",
        "versionType": "custom",
        "version": "0",
        "lessThan": "3.2.1"
      }
    ],
    "defaultStatus": "unaffected",
    "collectionURL": "https://wordpress.org/plugins"
  }
]