Impact
The vulnerability is an Insecure Direct Object Reference affecting the KiviCare plugin for WordPress. It permits an attacker to manipulate subscriber identifiers in API requests or URLs to read or modify other subscribers’ personal data, thereby compromising confidentiality and integrity of patient or appointment information. The description explicitly states that identity numbers can be altered by the user, and it is inferred that an attacker who can craft such requests would gain unauthorized access to data belonging to other subscribers.
Affected Systems
The issue affects the Iqonic Design KiviCare plugin for WordPress, versions up to and including 4.2.1. Any WordPress site that hosts a vulnerable KiviCare installation may be impacted.
Risk and Exploitability
The CVSS score of 6.3 indicates a moderate severity risk, while the EPSS score of less than 1% suggests that successful exploitation is currently unlikely but not impossible. The vulnerability is not listed in CISA KEV. An attacker can target the IDOR by sending crafted HTTP requests to plugin resource URLs or API endpoints that reference subscriber IDs. It is inferred that the attacker would need to be authenticated as a regular subscriber to forge such requests, though the low exploit probability and moderate severity make the overall risk moderate but worth addressing promptly.
OpenCVE Enrichment