CVE-2026-42735
Authentication Bypass via Alternate Path in KiviCare Clinic Management System
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iqonic_design | kivicare | to 4.3.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability involves broken authentication that allows unauthenticated attackers to gain administrative access, which can lead to unauthorized access to sensitive personal or health data.
Such unauthorized access can result in violations of common standards and regulations like GDPR and HIPAA, which require strict controls over authentication and protection of personal and health information.
Failure to address this vulnerability could therefore lead to non-compliance with these regulations, potentially resulting in legal and financial consequences.
Can you explain this vulnerability to me?
CVE-2026-42735 is a high-priority Broken Authentication vulnerability in the WordPress KiviCare Plugin versions 4.3.0 and below. It allows unauthenticated attackers to bypass authentication mechanisms by exploiting an alternate path or channel, specifically targeting the password recovery functionality. This enables attackers to perform actions normally restricted to higher-privileged users, potentially gaining administrative access to the affected website.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized administrative access to your website. Attackers exploiting this flaw can bypass authentication controls without any user interaction or privileges, leading to potential data breaches, unauthorized changes, and control over the website. The vulnerability is actively targeted in mass-exploit campaigns, increasing the risk to thousands of websites regardless of their size or popularity.
What immediate steps should I take to mitigate this vulnerability?
Immediate action is required to mitigate the risk of this high-priority Broken Authentication vulnerability in KiviCare Plugin versions 4.3.0 and below.
- Update the KiviCare plugin to version 4.4.0 or later.
- Apply the mitigation rule provided by Patchstack if updating is not immediately possible.
- Enable auto-updates for vulnerable plugins if you are a Patchstack user to ensure timely protection.