KiviCare – Clinic & Patient Management System (EHR) < 4.3.0 – Authenticated (Subscriber+) Insecure Direct Object Reference | CVE 2026-40792 | Plugin Vulnerabilities

Description

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.2.1 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

Affects Plugins

kivicare-clinic-management-system

Fixed in 4.3.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/6af0aa17-2bbf-489e-aedb-95b514f6c9a2

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Jakub Herman

Verified

No

WPVDB ID

9f62a1e2-0da0-4a40-af1d-a2eca00fa511

Timeline

Publicly Published

2026-04-23 (about 1 month ago)

Added

2026-04-30 (about 25 days ago)

Last Updated

2026-04-30 (about 25 days ago)

Other

Published

Title

Published

2024-10-14

Title

Contact Forms, Live Support, CRM, Video Messages < 1.11.1 - Unauthenticated Information Disclosure

Published

2026-04-29

Title

Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe < 29.0.0 - Authenticated (Subscriber+) Sensitive Information Exposure

Published

2026-04-21

Title

Table Manager <= 1.0.0 - Authenticated (Contributor+) Sensitive Information Exposure via 'table' Shortcode Attribute

Published

2024-06-10

Title

Advanced Contact form 7 DB < 2.0.3 - Sensitive Information Exposure

Published

2025-01-27

Title

Import and export users and customers < 1.27.13 - Unauthenticated Sensitive Information Disclosure