KiviCare Management System < 3.2.1 - Multiple CSRF
CVE-2023-2628
8.8HIGH
Summary
The KiviCare WordPress plugin, prior to version 3.2.1, is susceptible to a serious security issue due to the absence of adequate CSRF checks in its AJAX actions. This oversight permits malicious actors to exploit the vulnerability, enabling them to coerce authenticated users into executing unintended actions. Such unauthorized actions may include the deletion of arbitrary appointments, manipulation of medical records, and the creation or updating of user accounts—affecting both patients and doctors.
Affected Version(s)
KiviCare 0 < 3.2.1
References
CVSS V3.1
Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
Erwan LR (WPScan)
WPScan