PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11990 iqonicdesign CVE debrief

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress has an authorization bypass vulnerability in all versions up to, and including, 4.4.0. This allows unauthenticated attackers to mark arbitrary pending appointments as Confirmed and forge an associated completed payment record. The vulnerability is due to improper verification of user authorization for actions. The exploit is achievable on a default installation because the gateway resolution logic returns all registered gateways, making the manual (KCPayLater) gateway always selectable. This issue has a medium CVSS score of 5.3 and is classified as MEDIUM severity.

Vendor
iqonicdesign
Product
KiviCare – Clinic & Patient Management System (EHR)
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of the KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress, especially those with versions up to and including 4.4.0, should be aware of this vulnerability and take necessary defensive actions. This includes administrators of WordPress installations using the affected plugin, security teams responsible for monitoring and mitigating vulnerabilities, and operators of healthcare or clinic management systems who may be impacted by the exploitation of this vulnerability.

Technical summary

The vulnerability in the KiviCare plugin is caused by the lack of proper authorization checks. This allows attackers to perform actions without being authenticated. The technical impact includes the ability to mark pending appointments as confirmed and create forged payment records. The issue arises from the plugin's gateway resolution logic, which returns all registered gateways, making certain gateways always selectable for exploitation.

Defensive priority

Medium priority due to the potential for unauthorized actions and the achievable exploit on default installations.

Recommended defensive actions

  • Update to a version beyond 4.4.0 if available
  • Restrict access to appointment management features
  • Monitor for suspicious appointment and payment activities
  • Implement additional authentication checks for payment processing
  • Review and adjust the gateway configuration to prevent exploitation
  • Conduct regular security audits to identify and address potential vulnerabilities
  • Enhance monitoring and logging to detect unusual activities related to appointment and payment processing

Evidence notes

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress has a vulnerability, as indicated by evidence from the NVD and Wordfence. However, details about the vendor and affected scope are limited. Defenders should verify the vulnerability's impact on their systems, focusing on the plugin's authorization bypass issue. The exploit is achievable on a default installation due to gateway resolution logic returning all registered gateways, regardless of admin-enabled status.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T10:16:21.323Z and has not been modified since then.