CVE-2023-2627

CWE-862Missing AuthorizationCWE-352Cross-Site Request Forgery (CSRF)4 documents4 sources
Severity
4.3MEDIUM
EPSS
0.1%
top 77.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown KivicareIqonic Kivicare
Timeline
PublishedJun 27
Latest updateMar 19

Description

The KiviCare WordPress plugin before 3.2.1 does not have proper CSRF and authorisation checks in various AJAX actions, allowing any authenticated users, such as subscriber to call them. Attacks include but are not limited to: Add arbitrary Clinic Admin/Doctors/etc and update plugin's settings

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDiqonic/kivicare< 3.2.1
CVEListV5unknown/kivicare< 3.2.1

🔴Vulnerability Details

2
GHSA
GHSA-mjmv-wghg-gx7m: The KiviCare WordPress plugin before 32023-06-27
CVEList
KiviCare Management System < 3.2.1 - Subscriber+ Unauthorised AJAX Calls2023-06-27

📋Vendor Advisories

1
Chrome
Stable Channel Update for Desktop: CVE-2024-26262024-03-19