KiviCare Management System < 3.2.1 - Reflected Cross-Site Scripting

Vulnerability

The KiviCare WordPress plugin versions prior to 3.2.1 fail to sanitize and escape a parameter before outputting it back in the page. This leads to a Reflected Cross-Site Scripting (XSS) vulnerability. The affected parameter is not disclosed in the advisory, but it is reachable without any special configuration or authentication [1].

Exploitation

An attacker can craft a malicious URL containing the unsanitized parameter and trick a high-privilege user (e.g., administrator) into clicking it. No authentication is required for the attacker, but user interaction is needed, and the target must be logged into the WordPress admin panel. The attack does not require any special network position; it can be executed remotely [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, defacement, or theft of sensitive information. Because the vulnerability can target administrators, a successful attack could result in full site compromise [1].

Mitigation

The issue is fixed in KiviCare version 3.2.1, released on or around 2023-06-05. Users should update immediately. No workarounds are provided for older versions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].