CVE-2023-2627: KiviCare Management System < 3.2.1 - Subscriber+ Unauthorised AJAX Calls

0.0 CVSS

Description

The KiviCare WordPress plugin before 3.2.1 does not have proper CSRF and authorisation checks in various AJAX actions, allowing any authenticated users, such as subscriber to call them. Attacks include but are not limited to: Add arbitrary Clinic Admin/Doctors/etc and update plugin's settings

Classification

CVE ID: CVE-2023-2627

CVSS Base Severity: LOW

CVSS Base Score: 0.0

Affected Products

Vendor: Unknown

Product: KiviCare

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 22.73% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://wpscan.com/vulnerability/162d0029-2adc-4925-9985-1d5d672dbe75

Timeline

2024-12-04 00:11:04 UTC
CVE

KiviCare Management System < 3.2.1 - Subscriber+ Unauthorised AJAX Calls