MEDIUM
iqonicdesign
CVE published 2026-07-10
CVE-2026-11990
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress has an authorization bypass vulnerability in all versions up to, and including, 4.4.0. This allows unauthenticated attackers to mark arbitrary pending appointments as Confirmed and forge an associated completed payment record. The vulnerability is due to improper verification of user authorization for actions. The exploit is achi [truncated]