{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25034", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-28T09:52:08.058Z", "datePublished": "2026-03-25T16:14:38.857Z", "dateUpdated": "2026-03-26T16:40:31.744Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "kivicare-clinic-management-system", "product": "KiviCare", "vendor": "Iqonic Design", "versions": [{"changes": [{"at": "4.0.0", "status": "unaffected"}], "lessThanOrEqual": "<= 3.6.16", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Andrea Bocchetti | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:19.213Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects KiviCare: from n/a through <= 3.6.16.</p>"}], "value": "Missing Authorization vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KiviCare: from n/a through <= 3.6.16."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:38.857Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/kivicare-clinic-management-system/vulnerability/wordpress-kivicare-plugin-3-6-16-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress KiviCare plugin <= 3.6.16 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25034", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:32:19.662480Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:40:31.744Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-25034", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T16:32:19.662480Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T16:32:20.667Z"}}], "cna": {"title": "WordPress KiviCare plugin <= 3.6.16 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Andrea Bocchetti | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "Iqonic Design", "product": "KiviCare", "versions": [{"status": "affected", "changes": [{"at": "4.0.0", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 3.6.16"}], "packageName": "kivicare-clinic-management-system", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:19.213Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/kivicare-clinic-management-system/vulnerability/wordpress-kivicare-plugin-3-6-16-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KiviCare: from n/a through <= 3.6.16.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects KiviCare: from n/a through <= 3.6.16.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:38.857Z"}}}, "cveMetadata": {"cveId": "CVE-2026-25034", "state": "PUBLISHED", "dateUpdated": "2026-03-26T16:40:31.744Z", "dateReserved": "2026-01-28T09:52:08.058Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:38.857Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects KiviCare: from n/a through <= 3.6.16."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Iqonic Design KiviCare kivicare-clinic-management-system permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a KiviCare: desde n/a hasta &lt;= 3.6.16."}], "id": "CVE-2026-25034", "lastModified": "2026-03-26T17:16:30.053", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:43.237", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/kivicare-clinic-management-system/vulnerability/wordpress-kivicare-plugin-3-6-16-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.6.16]"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 81.0, "source": "matching"}]}, "original": {"product": "KiviCare", "source": "cna", "vendor": "Iqonic Design"}, "product": "kivicare", "vendor": "iqonic"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T19:01:37.476522+00:00", "value": {"mitigation_remediation": ["Apply a plugin version newer than 3.6.16 to eliminate the access control flaw."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Data Access"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the KiviCare clinic management plugin in any version up to and including 3.6.16 are affected. Sites running Iqonic Design KiviCare in the specified version range with the plugin installed are at risk.", "description_and_impact": "A missing authorization check in the Iqonic Design KiviCare plugin allows attackers to bypass intended access controls and read or modify sensitive data related to patient records and appointment details. The flaw is classified as CWE\u2011862 and provides unauthorized access to information normally protected by the plugin\u2019s security model.", "risk_and_exploitability": "The likely attack vector is through standard web requests to the plugin\u2019s endpoints, requiring only internet access to the WordPress site. No special conditions are specified in the description, so exploitation can occur from unauthenticated or low\u2011privileged users. While no CVSS or EPSS score is provided and the vulnerability is not listed in the KEV catalog, the access\u2011control failure presents a moderate to high risk due to potential exposure of confidential information."}}}}, "created": "2026-03-25T21:34:10.773771+00:00", "updated": "2026-03-26T11:39:25.814927+00:00", "vendors": ["iqonic", "iqonic$PRODUCT$kivicare", "wordpress", "wordpress$PRODUCT$wordpress"]}