CVE-2026-11990 KiviCare <= 4.4.0 - Missing Authorization to Unauthenticated Payment Bypass and Appointment Status Manipulation via /payment-success REST Endpoint
The KiviCare – Clinic & Patient Management System EHR plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...