Description
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to mark arbitrary pending appointments as Confirmed and forge an associated completed payment record in wp_kc_payments_appointment_mappings using an attacker-supplied payment ID, bypassing payment entirely. This exploit is achievable on a default installation because the gateway resolution logic returns all registered gateways regardless of admin-enabled status, making the manual (KCPayLater) gateway always selectable.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Fri, 10 Jul 2026 13:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Iqonicdesign
Iqonicdesign kivicare – Clinic & Patient Management System (ehr) Wordpress Wordpress wordpress |
|
| Vendors & Products |
Iqonicdesign
Iqonicdesign kivicare – Clinic & Patient Management System (ehr) Wordpress Wordpress wordpress |
Fri, 10 Jul 2026 10:15:00 +0000
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-07-10T09:32:45.502Z
Reserved: 2026-06-11T14:38:19.971Z
Link: CVE-2026-11990
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-10T13:00:16Z
Weaknesses
-
CWE-862
Missing Authorization