KiviCare Management System < 3.2.1 - Multiple CSRF
CVE-2023-2628

8.8HIGH

Key Information:

Vendor
Wordpress
Status
Vendor
CVE Published:
27 June 2023

Summary

The KiviCare WordPress plugin, prior to version 3.2.1, is susceptible to a serious security issue due to the absence of adequate CSRF checks in its AJAX actions. This oversight permits malicious actors to exploit the vulnerability, enabling them to coerce authenticated users into executing unintended actions. Such unauthorized actions may include the deletion of arbitrary appointments, manipulation of medical records, and the creation or updating of user accounts—affecting both patients and doctors.

Affected Version(s)

KiviCare 0 < 3.2.1

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Erwan LR (WPScan)
WPScan
.
🍪 This website uses cookies, like every other website on the internet 😕 By using our website, you consent to the use of cookies.