CVE-2026-0927
Arbitrary File Upload in KiviCare EHR Plugin Allows Remote Abuse
Publication date: 2026-01-23
Last updated on: 2026-01-23
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kivicare | kivicare_clinic_management_system | to 3.6.15 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the KiviCare Clinic & Patient Management System WordPress plugin allows unauthenticated attackers to upload arbitrary files, specifically text files and PDF documents, due to missing authorization checks in the uploadMedicalReport() function in versions up to 3.6.15. This means attackers can upload files without permission, potentially using these files to host malicious content or phishing pages on the affected server.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to upload malicious files to your server without authentication. These files could be used to host harmful content such as phishing pages or malware, which can compromise your website's integrity, harm your users, damage your reputation, and potentially lead to further attacks on your infrastructure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the affected WordPress site is running the KiviCare Clinic & Patient Management System plugin version 3.6.15 or earlier. Specifically, you can test if the uploadMedicalReport() function allows unauthenticated arbitrary file uploads. A practical detection method is to attempt uploading a text or PDF file to the medical report upload endpoint without authentication and observe if the upload is accepted. Since the exact upload URL or endpoint is not provided, you may look for typical plugin upload endpoints or monitor HTTP POST requests to the server for unauthorized file uploads. Additionally, scanning web server logs for unexpected file uploads or suspicious POST requests targeting the plugin's upload functionality can help detect exploitation attempts. No specific commands are provided in the resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the KiviCare Clinic & Patient Management System plugin to version 3.6.16 or later, where the uploadMedicalReport() function has been patched to include proper permission checks preventing unauthorized uploads. If updating is not immediately possible, restrict access to the upload endpoint by implementing web server rules (e.g., via .htaccess or firewall) to block unauthenticated POST requests to the upload functionality. Additionally, monitor and audit uploaded files for suspicious content and remove any unauthorized files. Applying principle of least privilege and ensuring proper user permissions are enforced can also help mitigate risk. [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to upload arbitrary files, including text and PDF documents, to the affected server. This could lead to hosting malicious content or phishing pages, potentially compromising the confidentiality and integrity of patient data managed by the KiviCare Clinic & Patient Management System. Such unauthorized access and potential data exposure could violate compliance requirements under standards like GDPR and HIPAA, which mandate strict controls on personal health information and data security. Therefore, this vulnerability poses a risk to compliance with these regulations by enabling unauthorized data manipulation and potential data breaches. [3]