CVE-2026-40792— WordPress KiviCare plugin <= 4.2.1 - Insecure Direct Object References (IDOR) vulnerability
Possible ATT&CK Techniques 1AI
T1528 · Steal Application Access TokenAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Iqonic Design | KiviCare | n/a≤ 4.2.1 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40792
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
WordPress KiviCare plugin <= 4.2.1 - Insecure Direct Object References (IDOR) vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
Subscriber Insecure Direct Object References (IDOR) in KiviCare <= 4.2.1 versions.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过用户控制密钥绕过授权机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
Iqonic Design KiviCare 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Iqonic Design KiviCare是Iqonic Design的医疗诊所管理插件。 Iqonic Design KiviCare 4.2.1及之前版本存在授权问题漏洞,该漏洞源于订阅者不安全的直接对象引用(IDOR),可能导致低权限攻击者通过网络访问,在无需用户交互的情况下,对部分数据造成机密性、完整性和可用性影响。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Iqonic Design | KiviCare | n/a ~ 4.2.1 | - |
II. Public POCs for CVE-2026-40792
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40792
请登录查看更多情报信息。
News Coverage for CVE-2026-40792 (1)
IV. Related Vulnerabilities
Same product: KiviCare
- CVE-2026-42735
WordPress KiviCare plugin <= 4.3.0 - Broken Authentication v - CVE-2026-25383
WordPress KiviCare plugin <= 3.6.16 - Reflected Cross Site S - CVE-2026-25034
WordPress KiviCare plugin <= 3.6.16 - Broken Access Control - CVE-2026-25022
WordPress KiviCare plugin <= 3.6.16 - SQL Injection vulnerab - CVE-2025-66095
WordPress KiviCare plugin <= 3.6.13 - SQL Injection vulnerab
Same vendor: Iqonic Design
- CVE-2026-42735
WordPress KiviCare plugin <= 4.3.0 - Broken Authentication v - CVE-2026-25383
WordPress KiviCare plugin <= 3.6.16 - Reflected Cross Site S - CVE-2026-25034
WordPress KiviCare plugin <= 3.6.16 - Broken Access Control - CVE-2026-25022
WordPress KiviCare plugin <= 3.6.16 - SQL Injection vulnerab - CVE-2025-66095
WordPress KiviCare plugin <= 3.6.13 - SQL Injection vulnerab
Same weakness: CWE-639
- CVE-2026-12411
Broken Access Control in Canonical LXD DevLXD API - CVE-2026-57665
WordPress GravityView plugin <= 3.0.0 - Insecure Direct Obje - CVE-2026-57652
WordPress JS Help Desk plugin <= 3.1.0 - Insecure Direct Obj - CVE-2026-57646
WordPress Majestic Support plugin <= 1.1.7 - Insecure Direct - CVE-2026-57634
WordPress PPWP plugin <= 1.9.19 - Insecure Direct Object Ref
V. Comments for CVE-2026-40792
No comments yet