KiviCare Management System < 3.2.1 - Multiple CSRF

The plugin does not have CSRF checks (either flawed or missing completely) in various AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. This includes, but is not limited to: Delete arbitrary appointments/medical records/etc, create/update various users (patients, doctors etc)

PoC

Make a logged in admin open the following URL to make them delete the appointment with ID 1: https://example.com/wp-admin/admin-ajax.php?action=ajax_get&amp;route;_name=appointment_delete&amp;id;=1 Make a logged in admin open a page with the HTML code below To make them delete the medial record with ID 1: To make them create a new doctor: To edit an existing doctor, add the ID and the correct email to the code above, e.g (This will change their name, mobile number and gender as well as reset their specialisation etc)