KiviCare Management System < 3.2.1 - Subscriber+ Unauthorised AJAX Calls

Vulnerability

The KiviCare WordPress plugin versions prior to 3.2.1 fail to implement proper CSRF and authorization checks across various AJAX actions. This means any authenticated user, including those with subscriber-level privileges, can call these actions without appropriate validation. The affected actions are exposed through plugin-defined AJAX endpoints, and no additional configuration or privilege levels are required to reach the vulnerable code path [1].

Exploitation

An attacker needs only a valid user account on the WordPress site (such as a subscriber) with no elevated permissions. By crafting a malicious request (or enticing a logged-in user to click a link or submit a form), the attacker can call the vulnerable AJAX actions. The lack of CSRF protection means that simply visiting a crafted page can trigger the attack if the victim is authenticated. The sequence of steps involves sending a POST or GET request to the relevant AJAX handlers that lack capability checks [1].

Impact

Successful exploitation allows the attacker to perform actions such as adding arbitrary clinic administrators or doctors, as well as updating plugin settings. This can lead to privilege escalation, where an attacker gains administrative control over the clinic management features, potentially impacting patient data confidentiality and availability. The attacker achieves a higher privilege level within the plugin's context, bypassing intended access controls [1].

Mitigation

Update the KiviCare plugin to version 3.2.1, which was released on 2023-06-05 (approximately 2 years ago) and fixes the missing CSRF and authorization checks. There are no documented workarounds; applying the update is the only effective mitigation. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].