Authorization Bypass in KiviCare Clinic & Patient Management System Plugin
CVE-2026-11990
5.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 10 July 2026
What is CVE-2026-11990?
The KiviCare β Clinic & Patient Management System plugin for WordPress is susceptible to an authorization bypass flaw in all versions up to and including 4.4.0. This vulnerability allows unauthenticated users to manipulate pending appointments, marking them as confirmed, and create false payment records in the database. The problem arises from the plugin's failure to validate user permissions correctly, which enables attackers to access payment gateway functionality without proper authorization. This issue can be exploited on default installations, given that specific payment gateways are presented regardless of their configuration status.
Affected Version(s)
KiviCare β Clinic & Patient Management System (EHR) 0 <= 4.4.0