Description
Subscriber Insecure Direct Object References (IDOR) in KiviCare <= 4.2.1 versions.
Published: 2026-06-15
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Insecure Direct Object Reference affecting the KiviCare plugin for WordPress. It permits an attacker to manipulate subscriber identifiers in API requests or URLs to read or modify other subscribers’ personal data, thereby compromising confidentiality and integrity of patient or appointment information. The description explicitly states that identity numbers can be altered by the user, and it is inferred that an attacker who can craft such requests would gain unauthorized access to data belonging to other subscribers.

Affected Systems

The issue affects the Iqonic Design KiviCare plugin for WordPress, versions up to and including 4.2.1. Any WordPress site that hosts a vulnerable KiviCare installation may be impacted.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity risk, while the EPSS score of less than 1% suggests that successful exploitation is currently unlikely but not impossible. The vulnerability is not listed in CISA KEV. An attacker can target the IDOR by sending crafted HTTP requests to plugin resource URLs or API endpoints that reference subscriber IDs. It is inferred that the attacker would need to be authenticated as a regular subscriber to forge such requests, though the low exploit probability and moderate severity make the overall risk moderate but worth addressing promptly.

Generated by OpenCVE AI on June 18, 2026 at 03:25 UTC.

Remediation

Vendor Solution

Update the WordPress KiviCare Plugin to the latest available version (at least 4.3.0).


OpenCVE Recommended Actions

  • Update the WordPress KiviCare plugin to version 4.3.0 or later as provided by the vendor.
  • If an immediate upgrade cannot be performed, restrict subscriber role permissions so that subscribers can access only their own data, and disable any public API endpoints that expose subscriber identifiers.
  • Monitor WordPress access logs for abnormal requests to subscriber resources and investigate any unauthorized activity.

Generated by OpenCVE AI on June 18, 2026 at 03:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Iqonic
Iqonic kivicare
Wordpress
Wordpress wordpress
Vendors & Products Iqonic
Iqonic kivicare
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Subscriber Insecure Direct Object References (IDOR) in KiviCare <= 4.2.1 versions.
Title WordPress KiviCare plugin <= 4.2.1 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}


Subscriptions

Iqonic Kivicare
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-15T22:28:54.301Z

Reserved: 2026-04-15T09:20:46.957Z

Link: CVE-2026-40792

cve-icon Vulnrichment

Updated: 2026-06-15T22:28:46.717Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:16:51.537

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-40792

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:15:02Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key