CVE-2023-2628 – The KiviCare WordPress plugin before version 3.... (How to Fix)

Q: What is the severity of CVE-2023-2628?

CVE-2023-2628 has a CVSS score of 8.8 (HIGH). The KiviCare WordPress plugin before version 3.2.1 lacks proper CSRF protection in AJAX endpoints, allowing attackers to trick logged-in administrators into performing unauthorized actions. This affects all WordPress sites using vulnerable versions of the KiviCare plugin, potentially compromising medical appointment systems and user data.

📋 TL;DR

The KiviCare WordPress plugin before version 3.2.1 lacks proper CSRF protection in AJAX endpoints, allowing attackers to trick logged-in administrators into performing unauthorized actions. This affects all WordPress sites using vulnerable versions of the KiviCare plugin, potentially compromising medical appointment systems and user data.

💻 Affected Systems

Products:

KiviCare WordPress Plugin

Versions: All versions before 3.2.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with KiviCare plugin enabled. Vulnerable in default configuration.

📦 What is this software?

Kivicare by Iqonic

View all CVEs affecting Kivicare →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could delete all medical records and appointments, create unauthorized admin accounts, or completely compromise the healthcare management system.

🟠

Likely Case

Targeted attacks deleting specific appointments or creating unauthorized patient/doctor accounts for fraud or data theft.

🟢

If Mitigated

With proper CSRF tokens and user awareness, impact is limited to failed exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires tricking authenticated users into visiting malicious pages. No authentication bypass needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.1

Vendor Advisory: https://wpscan.com/vulnerability/e0741e2c-c529-4815-8744-16e01cdb0aed

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find KiviCare plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 3.2.1+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

linux

Disable KiviCare plugin until patched

wp plugin deactivate kivicare-clinic-management-system

WordPress Security Plugin CSRF Protection

all

Enable CSRF protection via security plugins like Wordfence

🧯 If You Can't Patch

Implement strict user access controls and limit admin sessions
Deploy WAF rules to block suspicious AJAX requests to /wp-admin/admin-ajax.php

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → KiviCare version. If version < 3.2.1, vulnerable.

Check Version:

wp plugin get kivicare-clinic-management-system --field=version

Verify Fix Applied:

Confirm KiviCare plugin version is 3.2.1 or higher in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

Multiple AJAX requests to /wp-admin/admin-ajax.php from same session with different referers
Unauthorized appointment deletions or user creations in plugin logs

Network Indicators:

POST requests to admin-ajax.php with suspicious referer headers
CSRF token missing in AJAX requests

SIEM Query:

source="wordpress" AND uri="/wp-admin/admin-ajax.php" AND (action="kivicare_*" OR referer NOT CONTAINS site_domain)

📊 Metadata

CVE ID: CVE-2023-2628

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Published: June 27, 2023

Last Updated: November 21, 2024

🔗 References

https://wpscan.com/vulnerability/e0741e2c-c529-4815-8744-16e01cdb0aed Exploit,Third Party Advisory
https://wpscan.com/vulnerability/e0741e2c-c529-4815-8744-16e01cdb0aed Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON