CVE-2023-2627

Name of the Vulnerable Software and Affected Versions KiviCare WordPress plugin versions prior to 3.2.1

Description The issue concerns improper CSRF and authorization checks in various AJAX actions within the KiviCare WordPress plugin. This allows any authenticated user, including those with minimal privileges like subscribers, to execute these actions. Potential attacks include adding arbitrary clinic administrators, doctors, or other entities, as well as updating the plugin's settings.

Recommendations For versions prior to 3.2.1, update to version 3.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the AJAX actions until the update can be applied. Additionally, limiting the privileges of authenticated users, such as subscribers, can help minimize the risk of exploitation.