WordPress Plugin Vulnerabilities

KiviCare Management System < 3.2.1 - Multiple CSRF

Description

The plugin does not have CSRF checks (either flawed or missing completely) in various AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. This includes, but is not limited to: Delete arbitrary appointments/medical records/etc, create/update various users (patients, doctors etc)

Proof of Concept

Affects Plugins

Plugin icon
kivicare-clinic-management-system
Fixed in 3.2.1

References

CVE
CVE-2023-2628

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
8.1 (high)

Miscellaneous

Original Researcher
Erwan LR (WPScan)
Verified
Yes
WPVDB ID
e0741e2c-c529-4815-8744-16e01cdb0aed

Timeline

Publicly Published
2023-06-05 (about 2 years ago)
Added
2023-06-05 (about 2 years ago)
Last Updated
2023-06-05 (about 2 years ago)

Other

Published
Title
Published
2024-01-17
Title
Browser Theme Color < 1.4 - Settings Update via CSRF
Published
2023-10-26
Title
Thumbnail Slider With Lightbox < 1.0.1 - Arbitrary File Upload via CSRF
Published
2025-04-04
Title
WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms < 1.1.4 - Cross-Site Request Forgery
Published
2023-07-07
Title
WP SMS < 6.2.0 - User Unsubscribe via CSRF
Published
2025-01-07
Title
Instabot <= 1.10 - Cross-Site Request Forgery to Stored Cross-Site Scripting