CVE-2023-2628: KiviCare Management System < 3.2.1 - Multiple CSRF

0.0 CVSS

Description

The KiviCare WordPress plugin before 3.2.1 does not have CSRF checks (either flawed or missing completely) in various AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. This includes, but is not limited to: Delete arbitrary appointments/medical records/etc, create/update various users (patients, doctors etc)

Classification

CVE ID: CVE-2023-2628

CVSS Base Severity: LOW

CVSS Base Score: 0.0

Affected Products

Vendor: Unknown

Product: KiviCare

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.21% (probability of being exploited)

EPSS Percentile: 59.26% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://wpscan.com/vulnerability/e0741e2c-c529-4815-8744-16e01cdb0aed

Timeline

2024-11-28 00:11:00 UTC
CVE

KiviCare Management System < 3.2.1 - Multiple CSRF