Description
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to mark arbitrary pending appointments as Confirmed and forge an associated completed payment record in wp_kc_payments_appointment_mappings using an attacker-supplied payment ID, bypassing payment entirely. This exploit is achievable on a default installation because the gateway resolution logic returns all registered gateways regardless of admin-enabled status, making the manual (KCPayLater) gateway always selectable.
Published: 2026-07-10
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/tags/4.3.0/app/baseClasses/KCPaymentGatewayFactory.php#L131 cve-icon
https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/tags/4.3.0/app/controllers/api/AppointmentsController.php#L3931 cve-icon
https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/tags/4.3.0/app/controllers/api/AppointmentsController.php#L465 cve-icon
https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/tags/4.3.0/app/paymentGateways/KCPayLater.php#L109 cve-icon
https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/tags/4.3.0/app/services/KCAppointmentPaymentService.php#L32 cve-icon
https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/tags/4.4.0/app/baseClasses/KCPaymentGatewayFactory.php#L131 cve-icon
https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/tags/4.4.0/app/controllers/api/AppointmentsController.php#L3931 cve-icon
https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/tags/4.4.0/app/controllers/api/AppointmentsController.php#L465 cve-icon
https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/tags/4.4.0/app/paymentGateways/KCPayLater.php#L109 cve-icon
https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/tags/4.4.0/app/services/KCAppointmentPaymentService.php#L32 cve-icon
https://plugins.trac.wordpress.org/changeset?reponame=&old=3599918%40kivicare-clinic-management-system&new=3599918%40kivicare-clinic-management-system cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/efe4223a-5c1a-401e-a46b-0278e96d2d71?source=cve cve-icon
History

Fri, 10 Jul 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Iqonicdesign
Iqonicdesign kivicare – Clinic & Patient Management System (ehr)
Wordpress
Wordpress wordpress
Vendors & Products Iqonicdesign
Iqonicdesign kivicare – Clinic & Patient Management System (ehr)
Wordpress
Wordpress wordpress

Fri, 10 Jul 2026 10:15:00 +0000

Type Values Removed Values Added
Description The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to mark arbitrary pending appointments as Confirmed and forge an associated completed payment record in wp_kc_payments_appointment_mappings using an attacker-supplied payment ID, bypassing payment entirely. This exploit is achievable on a default installation because the gateway resolution logic returns all registered gateways regardless of admin-enabled status, making the manual (KCPayLater) gateway always selectable.
Title KiviCare <= 4.4.0 - Missing Authorization to Unauthenticated Payment Bypass and Appointment Status Manipulation via /payment-success REST Endpoint
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

Iqonicdesign Kivicare – Clinic & Patient Management System (ehr)
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-10T09:32:45.502Z

Reserved: 2026-06-11T14:38:19.971Z

Link: CVE-2026-11990

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-10T13:00:16Z

Weaknesses