WordPress Plugin Vulnerabilities

KiviCare – Clinic & Patient Management System (EHR) < 3.6.16 - Missing Authorization to Unauthenticated Limited Arbitrary File Upload

Description

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport() function in all versions up to, and including, 3.6.15. This makes it possible for unauthenticated attackers to upload text files and PDF documents to the affected site's server which may be leveraged for further attacks such as hosting malicious content or phishing pages via PDF files.

Affects Plugins

Plugin icon
kivicare-clinic-management-system
Fixed in 3.6.16

References

CVE
CVE-2026-0927
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/489931ef-bac3-4de8-84ec-6f226d96f778

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Sarawut Poolkhet (MisterHelloz)
Verified
No
WPVDB ID
c9645d78-053c-4602-823d-589d064bc36c

Timeline

Publicly Published
2026-01-22 (about 4 months ago)
Added
2026-01-22 (about 4 months ago)
Last Updated
2026-01-23 (about 4 months ago)

Other

Published
Title
Published
2022-03-31
Title
ThirstyAffiliates < 3.10.5 - Subscriber+ unauthorized image upload + CSRF
Published
2023-12-27
Title
Piotnet Forms < 1.0.30 - Missing Authorization via multiple AJAX actions
Published
2025-12-10
Title
Audier For Elementor <= 1.0.9 - Missing Authorization
Published
2025-04-03
Title
TuriTop Booking System <= 1.0.10 - Missing Authorization
Published
2025-08-22
Title
Greenshift < 12.1.2 - Missing Authorization