Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Password Recovery Exploitation.This issue affects KiviCare: from n/a through <= 4.3.0.
Published: 2026-05-27
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The KiviCare clinic management plugin for WordPress contains an authentication bypass flaw that allows exploitation of the password recovery functionality, enabling attackers to gain authorized access without knowing the correct credentials. This weakness qualifies as an Authentication Failure (CWE‑288) and can result in full control of the web application, exposure of sensitive data, and the potential for further lateral movement within the hosting environment.

Affected Systems

WordPress sites running the Iqonic Design KiviCare plugin version 4.3.0 or earlier are affected. The vendor notes the issue exists from an unspecified base release through all versions up to and including 4.3.0; no specific earlier releases are identified, so any site using a pre‑4.3.0 instance should be considered vulnerable.

Risk and Exploitability

The CVSS score of 8.2 describes this vulnerability as high severity. The EPSS score is not available, so the current exploitation probability cannot be quantified. The plugin is not listed in the CISA KEV catalog at this time. Attackers can likely exploit the flaw via the web interface of the affected WordPress installation, targeting the password recovery channel to bypass authentication.

Generated by OpenCVE AI on May 27, 2026 at 11:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the KiviCare plugin to the latest available version, if a patch is released.
  • Disable or restrict the password recovery feature if it is not essential for legitimate users.
  • Implement multi‑factor authentication on the WordPress administrative interface to add an extra layer of protection against unauthorized access.

Generated by OpenCVE AI on May 27, 2026 at 11:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
Description Authentication Bypass Using an Alternate Path or Channel vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Password Recovery Exploitation.This issue affects KiviCare: from n/a through <= 4.3.0.
Title WordPress KiviCare plugin <= 4.3.0 - Broken Authentication vulnerability
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-27T10:52:37.961Z

Reserved: 2026-04-29T09:05:25.570Z

Link: CVE-2026-42735

cve-icon Vulnrichment

Updated: 2026-05-27T10:52:32.851Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T11:16:20.117

Modified: 2026-05-27T14:50:47.627

Link: CVE-2026-42735

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T12:00:32Z

Weaknesses