PatchSiren cyber security CVE debrief
CVE-2026-11990 iqonicdesign CVE debrief
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress has an authorization bypass vulnerability in all versions up to, and including, 4.4.0. This allows unauthenticated attackers to mark arbitrary pending appointments as Confirmed and forge an associated completed payment record. The vulnerability is due to improper verification of user authorization for actions. The exploit is achievable on a default installation because the gateway resolution logic returns all registered gateways, making the manual (KCPayLater) gateway always selectable. This issue has a medium CVSS score of 5.3 and is classified as MEDIUM severity.
- Vendor
- iqonicdesign
- Product
- KiviCare – Clinic & Patient Management System (EHR)
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of the KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress, especially those with versions up to and including 4.4.0, should be aware of this vulnerability and take necessary defensive actions. This includes administrators of WordPress installations using the affected plugin, security teams responsible for monitoring and mitigating vulnerabilities, and operators of healthcare or clinic management systems who may be impacted by the exploitation of this vulnerability.
Technical summary
The vulnerability in the KiviCare plugin is caused by the lack of proper authorization checks. This allows attackers to perform actions without being authenticated. The technical impact includes the ability to mark pending appointments as confirmed and create forged payment records. The issue arises from the plugin's gateway resolution logic, which returns all registered gateways, making certain gateways always selectable for exploitation.
Defensive priority
Medium priority due to the potential for unauthorized actions and the achievable exploit on default installations.
Recommended defensive actions
- Update to a version beyond 4.4.0 if available
- Restrict access to appointment management features
- Monitor for suspicious appointment and payment activities
- Implement additional authentication checks for payment processing
- Review and adjust the gateway configuration to prevent exploitation
- Conduct regular security audits to identify and address potential vulnerabilities
- Enhance monitoring and logging to detect unusual activities related to appointment and payment processing
Evidence notes
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress has a vulnerability, as indicated by evidence from the NVD and Wordfence. However, details about the vendor and affected scope are limited. Defenders should verify the vulnerability's impact on their systems, focusing on the plugin's authorization bypass issue. The exploit is achievable on a default installation due to gateway resolution logic returning all registered gateways, regardless of admin-enabled status.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T10:16:21.323Z and has not been modified since then.