CVE-2026-0927 – The KiviCare WordPress plugin allows unauthenti... (How to Fix)

Q: What is the severity of CVE-2026-0927?

CVE-2026-0927 has a CVSS score of 5.3 (MEDIUM). The KiviCare WordPress plugin allows unauthenticated attackers to upload arbitrary text and PDF files due to missing authorization checks. This affects all WordPress sites using KiviCare versions up to 3.6.15. Attackers can upload malicious files that could be used for phishing or hosting harmful content.

📋 TL;DR

The KiviCare WordPress plugin allows unauthenticated attackers to upload arbitrary text and PDF files due to missing authorization checks. This affects all WordPress sites using KiviCare versions up to 3.6.15. Attackers can upload malicious files that could be used for phishing or hosting harmful content.

💻 Affected Systems

Products:

KiviCare – Clinic & Patient Management System (EHR) WordPress plugin

Versions: All versions up to and including 3.6.15

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with vulnerable KiviCare plugin versions enabled.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers upload malicious PDFs containing phishing links or malware, compromising user data and site integrity, potentially leading to complete site takeover if combined with other vulnerabilities.

🟠

Likely Case

Attackers upload phishing PDFs or text files containing malicious links, potentially tricking users into revealing credentials or downloading malware.

🟢

If Mitigated

With proper file validation and authorization, only legitimate medical reports from authenticated users are uploaded, maintaining normal functionality.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit as it requires no authentication and involves simple file upload requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.16 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3443088/kivicare-clinic-management-system/trunk/app/controllers/KCAppointmentController.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find KiviCare plugin and click 'Update Now'. 4. Verify version is 3.6.16 or higher.

🔧 Temporary Workarounds

Disable KiviCare Plugin

all

Temporarily deactivate the vulnerable plugin until patched.

wp plugin deactivate kivicare-clinic-management-system

Restrict File Uploads via .htaccess

linux

Block uploads to the medical report directory for unauthenticated users.

<FilesMatch "\.(txt|pdf)$">
  Order Deny,Allow
  Deny from all
</FilesMatch>

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block unauthorized file upload requests.
Monitor server logs for unusual file upload activity to the KiviCare upload directory.

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > KiviCare version. If version is 3.6.15 or lower, system is vulnerable.

Check Version:

wp plugin get kivicare-clinic-management-system --field=version

Verify Fix Applied:

After updating, confirm KiviCare version is 3.6.16 or higher in WordPress plugins list.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-admin/admin-ajax.php with action=uploadMedicalReport from unauthenticated IPs
Unexpected .txt or .pdf files appearing in wp-content/uploads/kivicare/medical_report directory

Network Indicators:

HTTP POST requests to upload endpoints without authentication headers
File uploads with unusual filenames or extensions

SIEM Query:

source="web_server_logs" AND (uri="/wp-admin/admin-ajax.php" AND method="POST" AND params.action="uploadMedicalReport") AND NOT (user_agent="WordPress/*")

📊 Metadata

CVE ID: CVE-2026-0927

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

EPSS Score: 0.06% exploit probability (19.5th percentile)

Published: January 23, 2026

Last Updated: January 26, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0927, you might also want to check these: