VYPR
← All advisories
Medium severity6.3NVD Advisory· Published Jun 15, 2026· Updated Jun 15, 2026

CVE-2026-40792

CVE-2026-40792

Description

An IDOR vulnerability in KiviCare plugin for WordPress (<=4.2.1) allows subscriber-level users to access unauthorized resources, potentially leading to data exposure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An IDOR vulnerability in KiviCare plugin for WordPress (<=4.2.1) allows subscriber-level users to access unauthorized resources, potentially leading to data exposure.

Vulnerability

The KiviCare plugin for WordPress versions 4.2.1 and earlier contains an Insecure Direct Object Reference (IDOR) vulnerability that allows authenticated users with subscriber-level privileges to access unauthorized resources by manipulating object identifiers [1].

Exploitation

An attacker with a subscriber-level account on a WordPress site running the vulnerable plugin can exploit this IDOR by sending HTTP requests with manipulated object identifiers (e.g., patient IDs, appointment IDs) to access data belonging to other users or privileged resources. No additional user interaction is required [1].

Impact

Successful exploitation allows an attacker to view, modify, or delete sensitive data such as patient records, appointments, and other clinic management information. This can lead to significant data breaches and privacy violations [1].

Mitigation

The vulnerability is fixed in version 4.3.0 of the KiviCare plugin. Users are strongly advised to update immediately. For those unable to update, Patchstack offers a mitigation rule that blocks attacks until the update is applied [1].

References
  1. Insecure Direct Object References (IDOR) in WordPress KiviCare Plugin

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.