{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25034", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:52:08.058Z", "datePublished": "2026-03-25T16:14:38.857Z", "dateUpdated": "2026-03-25T16:14:38.857Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "kivicare-clinic-management-system", "product": "KiviCare", "vendor": "Iqonic Design", "versions": [{"changes": [{"at": "4.0.0", "status": "unaffected"}], "lessThanOrEqual": "<= 3.6.16", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Andrea Bocchetti | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:19.213Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects KiviCare: from n/a through <= 3.6.16.</p>"}], "value": "Missing Authorization vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KiviCare: from n/a through <= 3.6.16."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:38.857Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/kivicare-clinic-management-system/vulnerability/wordpress-kivicare-plugin-3-6-16-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress KiviCare plugin <= 3.6.16 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KiviCare: from n/a through <= 3.6.16."}], "id": "CVE-2026-25034", "lastModified": "2026-03-25T17:16:43.237", "metrics": {}, "published": "2026-03-25T17:16:43.237", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/kivicare-clinic-management-system/vulnerability/wordpress-kivicare-plugin-3-6-16-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:01:37.476522+00:00", "value": {"mitigation_remediation": ["Apply a plugin version newer than 3.6.16 to eliminate the access control flaw."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Data Access"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the KiviCare clinic management plugin in any version up to and including 3.6.16 are affected. Sites running Iqonic Design KiviCare in the specified version range with the plugin installed are at risk.", "description_and_impact": "A missing authorization check in the Iqonic Design KiviCare plugin allows attackers to bypass intended access controls and read or modify sensitive data related to patient records and appointment details. The flaw is classified as CWE\u2011862 and provides unauthorized access to information normally protected by the plugin\u2019s security model.", "risk_and_exploitability": "The likely attack vector is through standard web requests to the plugin\u2019s endpoints, requiring only internet access to the WordPress site. No special conditions are specified in the description, so exploitation can occur from unauthenticated or low\u2011privileged users. While no CVSS or EPSS score is provided and the vulnerability is not listed in the KEV catalog, the access\u2011control failure presents a moderate to high risk due to potential exposure of confidential information."}}}}, "created": "2026-03-25T21:34:10.773771+00:00", "updated": "2026-03-25T21:34:10.773806+00:00", "vendors": []}