WordPress Plugin Vulnerabilities

KiviCare < 3.6.7 - Patient+ Insecure Direct Object Reference

Description

The plugin is vulnerable to Insecure Direct Object Reference due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with patient-level access and above, to perform an unauthorized action.

Affects Plugins

Plugin icon
kivicare-clinic-management-system
Fixed in 3.6.7

References

CVE
CVE-2024-35659
URL
https://patchstack.com/database/wordpress/plugin/kivicare-clinic-management-system/vulnerability/wordpress-kivicare-plugin-3-6-2-insecure-direct-object-references-idor-vulnerability

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Van Lyubov
Verified
No
WPVDB ID
42add081-8570-4cef-b5b7-53fa2d8aaff2

Timeline

Publicly Published
2024-06-03 (about 1 year ago)
Added
2024-06-11 (about 1 year ago)
Last Updated
2025-01-29 (about 1 year ago)

Other

Published
Title
Published
2023-07-26
Title
ACF Photo Gallery Field < 2.0 - Subscriber+ UserMeta Update
Published
2022-04-14
Title
WP 2FA < 2.2.0 - Arbitrary 2FA Disabling via IDOR
Published
2025-05-19
Title
WP Job Portal < 2.3.3 - Unauthenticated Insecure Direct Object Reference
Published
2025-04-23
Title
Woocommerce Automatic Order Printing | ( Formerly WooCommerce Google Cloud Print) <= 4.1 - Insecure Direct Object Reference to Authenticated (Subscriber+) Order Information Disclosure
Published
2024-04-16
Title
FileBird < 5.6.4 - Author+ Users Folder Deletion