KiviCare Management System < 3.2.1 - Subscriber+ Sensitive Information Disclosure

Vulnerability

The KiviCare WordPress plugin versions prior to 3.2.1 fail to restrict the data returned in a response, exposing all user fields including sensitive information such as user email and hashed passwords [1]. This occurs when a low-privileged user (e.g., subscriber) makes a request to a vulnerable endpoint, likely an API or user listing function that does not filter the returned fields based on the requester's permissions.

Exploitation

An attacker needs only a low-privileged account (e.g., subscriber) on the WordPress site. No special network position or additional authentication is required beyond the existing session. The attacker authenticates as a subscriber, sends a crafted request to the vulnerable endpoint, and receives the full user data of all registered users, including their email addresses and password hashes [1].

Impact

Successful exploitation results in the disclosure of sensitive information: user email addresses and hashed passwords of all users, including administrators. This can lead to further attacks such as password cracking (if weak hashes are used) or targeted phishing. The attacker gains this information while operating with only subscriber-level privileges, potentially compromising the entire site if administrator credentials are cracked [1].

Mitigation

The vulnerability is fixed in version 3.2.1 of the KiviCare plugin. Users should update to this version immediately. No workarounds are documented in the available reference [1]. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.