Description
Subscriber Insecure Direct Object References (IDOR) in KiviCare <= 4.2.1 versions.
Published: 2026-06-15
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Insecure Direct Object Reference (IDOR) affecting the KiviCare plugin for WordPress. It allows an authenticated subscriber or any user with the correct API endpoint structure to access or modify other subscribers’ data simply by manipulating object identifiers. The weakness enables a user to read or alter confidential patient or appointment information, violating confidentiality and integrity.

Affected Systems

The issue affects the Iqonic Design KiviCare plugin for WordPress, versions up to and including 4.2.1. Any WordPress site that has a vulnerable KiviCare installation is potentially impacted.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity risk, and the EPSS score of less than 1% suggests that successful exploitation is currently unlikely but still possible. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the IDOR by crafting requests to resource URLs or API endpoints that reference subscriber IDs, bypassing normal access controls. No additional prerequisites are specified beyond having valid HTTP access to the site; however, it likely requires the attacker to be authenticated as a regular subscriber to make the request. The lack of an exploitation patch and low exploit probability mean the risk is moderate but should be mitigated promptly.

Generated by OpenCVE AI on June 16, 2026 at 22:25 UTC.

Remediation

Vendor Solution

Update the WordPress KiviCare Plugin to the latest available version (at least 4.3.0).

OpenCVE Recommended Actions

  • Update the WordPress KiviCare Plugin to version 4.3.0 or later as provided by the vendor.
  • If an immediate upgrade is not possible, limit subscriber access to only their own data by tightening role‑based permissions or disabling public API endpoints that expose subscriber identifiers.
  • Continuously monitor WordPress logs for anomalous requests to subscriber resources and investigate any unauthorized access attempts.

Generated by OpenCVE AI on June 16, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Subscriber Insecure Direct Object References (IDOR) in KiviCare <= 4.2.1 versions.
Title WordPress KiviCare plugin <= 4.2.1 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-15T22:28:54.301Z

Reserved: 2026-04-15T09:20:46.957Z

Link: CVE-2026-40792

cve-icon Vulnrichment

Updated: 2026-06-15T22:28:46.717Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:51.537

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-40792

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:30:05Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key