CVE-2026-2992

The vulnerability affects the KiviCare – Clinic & Patient Management System (EHR) WordPress plugin up to version 4.1.2. A missing authorization flaw exists on the REST endpoint /wp-json/kivicare/v1/setup-wizard/clinic, enabling unauthenticated attackers to create a new clinic and a WordPress user...

CVE-2023-2627

The KiviCare WordPress plugin before 3.2.1 does not have proper CSRF and authorisation checks in various AJAX actions, allowing any authenticated users, such as subscriber to call them. Attacks include but are not limited to: Add arbitrary Clinic Admin/Doctors/etc and update plugin's settings...

KiviCare Management System < 3.2.1 - Subscriber+ Unauthorised AJAX Calls

The plugin does not have proper CSRF and authorisation checks in various AJAX actions, allowing any authenticated users, such as subscriber to call them. Attacks include but are not limited to: Add arbitrary Clinic Admin/Doctors/etc and update plugin's settings Run one of the below commands in th...

KiviCare Management System < 3.2.1 - Subscriber+ Unauthorised AJAX Calls

The plugin does not have proper CSRF and authorisation checks in various AJAX actions, allowing any authenticated users, such as subscriber to call them. Attacks include but are not limited to: Add arbitrary Clinic Admin/Doctors/etc and update plugin's settings PoC Run one of the below commands i...