CVE-2026-0927 - Vulnerability Details

- KiviCare – Clinic & Patient Management System (EHR) <= 3.6.15 - Missing Authorization to Unauthenticated Limited Arbitrary File Upload

Description

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport() function in all versions up to, and including, 3.6.15. This makes it possible for unauthenticated attackers to upload text files and PDF documents to the affected site's server which may be leveraged for further attacks such as hosting malicious content or phishing pages via PDF files.

Published: 2026-01-23

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The KiviCare – Clinic & Patient Management System plugin allows attackers who are not logged into the WordPress site to upload arbitrary text and PDF files through the uploadMedicalReport() endpoint. Because no authorization check is performed, an attacker can place files on the server that may be served to visitors, potentially hosting malicious code or phishing content. This vulnerability can lead to a compromise of the site’s content integrity and provide a foothold for further attacks such as phishing or credential harvesting.

Affected Systems

The vulnerability affects the KiviCare – Clinic & Patient Management System (EHR) plugin from iqonicdesign, versions up to and including 3.6.15. No other versions or products are listed as affected.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. The EPSS score of less than 1% suggests that exploitation attempts are expected to be rare, and the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector is an unauthenticated HTTP request to the upload endpoint. If exploited, the attacker could host malicious content on the site’s server for use in phishing or further attacks. The vulnerability’s impact remains limited to files uploaded by the attacker, but it can be leveraged for higher-level attacks depending on the attacker’s goals.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

iqonicdesign

KiviCare – Clinic & Patient Management System (EHR)

unaffected

Version	Status	Constraints
`0`	affected	≤ 3.6.15

No data.

Vendor	Product	Confidence	Versions
Iqonicdesign	Kivicare – Clinic & Patient Management System (ehr)	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to KiviCare – Clinic & Patient Management System version 3.6.16 or later, which removes the unauthenticated upload path.
If an upgrade cannot be performed immediately, restrict access to the uploadMedicalReport() endpoint so that only authenticated users with proper permissions can upload files.
Disable or filter the upload of plain text and PDF file types via WordPress's upload restrictions to prevent malicious content from being stored on the server.

Generated by OpenCVE AI on April 15, 2026 at 19:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/tags/3.6.15/app/controllers/KCAppointmentController.php#L1328
https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/KCAppointmentController.php#L1328
https://plugins.trac.wordpress.org/changeset/3443088/kivicare-clinic-management-system/trunk/app/controllers/KCAppointmentController.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/489931ef-bac3-4de8-84ec-6f226d96f778?source=cve

History

Fri, 23 Jan 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 23 Jan 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Iqonicdesign Iqonicdesign kivicare – Clinic & Patient Management System (ehr) Wordpress Wordpress wordpress
Vendors & Products		Iqonicdesign Iqonicdesign kivicare – Clinic & Patient Management System (ehr) Wordpress Wordpress wordpress

Fri, 23 Jan 2026 05:45:00 +0000

Type	Values Removed	Values Added
Description		The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport() function in all versions up to, and including, 3.6.15. This makes it possible for unauthenticated attackers to upload text files and PDF documents to the affected site's server which may be leveraged for further attacks such as hosting malicious content or phishing pages via PDF files.
Title		KiviCare – Clinic & Patient Management System (EHR) <= 3.6.15 - Missing Authorization to Unauthenticated Limited Arbitrary File Upload
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/tags/3.6.15/app/controllers/KCAppointmentController.php#L1328 https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/KCAppointmentController.php#L1328 https://plugins.trac.wordpress.org/changeset/3443088/kivicare-clinic-management-system/trunk/app/controllers/KCAppointmentController.php https://www.wordfence.com/threat-intel/vulnerabilities/id/489931ef-bac3-4de8-84ec-6f226d96f778?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Iqonicdesign Kivicare – Clinic & Patient Management System (ehr)

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-01-23T05:29:50.459Z

Updated: 2026-04-08T16:50:16.456Z

Reserved: 2026-01-13T21:23:11.170Z

Link: CVE-2026-0927

Vulnrichment

Updated: 2026-01-23T16:21:02.510Z

NVD

Status : Deferred

Published: 2026-01-23T06:15:50.480

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0927

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T19:15:12Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object