WordPress Plugin Vulnerabilities

KiviCare – Clinic & Patient Management System (EHR) < 4.0.0 - Missing Authorization

Description

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.6.16. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
kivicare-clinic-management-system
Fixed in 4.0.0

References

CVE
CVE-2026-25034
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9b19240c-d143-4360-9696-47358983178f

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
andrea bocchetti
Verified
No
WPVDB ID
a270ec41-9f83-4ee9-b13a-dfe8c7a68c2d

Timeline

Publicly Published
2026-03-23 (about 2 months ago)
Added
2026-04-02 (about 1 month ago)
Last Updated
2026-04-02 (about 1 month ago)

Other

Published
Title
Published
2025-10-14
Title
Zip Attachments <= 1.6 - Missing Authorization to Limited File Deletion
Published
2024-12-11
Title
de:branding <= 1.0.2 - Authenticated (Subscriber+) Arbitrary Options Update
Published
2025-01-06
Title
LazyLoad Background Images <= 1.0.7 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Update
Published
2024-04-26
Title
ColibriWP Theme framework - Various Versions and Themes - Missing Authorization
Published
2025-01-14
Title
VOD Infomaniak < 1.5.10 - Missing Authorization