cleantalk
Vulnerabilities and Security Researches

KiviCare – Clinic & Patient Management System (EHR), CVE-2026-0927

CVE, Research URL

CVE-2026-0927

Home page URL

Security reports for KiviCare – Clinic & Patient Management System (EHR)

Application

KiviCare – Clinic & Patient Management System (EHR)

Published on
Jan 23, 2026
Research Description
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport() function in all versions up to, and including, 3.6.15. This makes it possible for unauthenticated attackers to upload text files and PDF documents to the affected site's server which may be leveraged for further attacks such as hosting malicious content or phishing pages via PDF files.
Affected versions
max 3.6.16.
Status
vulnerable
Previous vulnerability researches
GatorMail SmartForms (CVE-2024-11386) , Jan 12, 2025
Smart Forms – when you need more than just a contact form (CVE-2024-1905) , Jun 07, 2024
Smart Forms – when you need more than just a contact form (CVE-2023-7203) , Jun 07, 2024
Smart Forms – when you need more than just a contact form (CVE-2024-1307) , Jun 07, 2024
Smart Forms – when you need more than just a contact form (CVE-2024-1306) , Jun 07, 2024
New vulnerability
Popup Box – new WordPress popup plugin (CVE-2025-12122) , Apr 19, 2026
KiviCare – Clinic & Patient Management System (EHR) (CVE-2026-0927) , Apr 19, 2026
Terms Dictionary (CVE-2025-39534) , Apr 19, 2026
Quiz Maker (CVE-2025-58015) , Apr 19, 2026
Canto (CVE-2026-6441) , Apr 19, 2026