KiviCare
Moderate fix1 remedy
cpe:2.3:a:iqonic:kivicare:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 3.6.15
KiviCare Clinic and Patient Management System WordPress Plugin Arbitrary File Upload Vulnerability
Vulnerability
Patched
A vulnerability allowing arbitrary file uploads has been identified in the KiviCare Clinic & Patient Management System (EHR) WordPress plugin, affecting all versions through 3.6.15. The issue arises from inadequate authorization checks in the uploadMedicalReport() function, which allow unauthenticated users to upload text files and PDF documents to the server. This could be exploited to host malicious content or phishing pages using the uploaded PDF files.
Impact
Exploitation of this vulnerability could lead to unauthorized file uploads, allowing for the distribution of malicious content or phishing attempts via uploaded PDF documents.
Reproduction
The vulnerability can be reproduced by sending a request to the uploadMedicalReport() function without proper authentication. This can be done by an unauthenticated user, taking advantage of the missing authorization checks to upload files directly to the server.
Remediation
Users are advised to update the KiviCare WordPress plugin to version 3.6.16 or later.
Added: Jan 23, 2026, 6:25 AM
Updated: Jan 23, 2026, 6:25 AM
Vulnerability Rating
Custom Algorithm
spread
1.0impact
0.6exploitability
9.3remediation
7.7relevance
2.2threat
4.8urgency
2.9incentive
8.3Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.