Iqonicdesign Kivicare Clinic Patient Management System vulnerabilities

CVE-2026-2991 [HIGH] CWE-287 CVE-2026-2991: The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Authen The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.1.2. This is due to the `patientSocialLogin()` function not verifying the social provider access token before authenticating a user. This makes it possible for unauthenticated attackers to log in as

CVE-2026-2992 [HIGH] CWE-862 CVE-2026-2992: The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Privil The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization on the `/wp-json/kivicare/v1/setup-wizard/clinic` REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to create a new clinic and a WordPress user w

CVE-2026-0927 [MEDIUM] CWE-862 CVE-2026-0927: The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitr The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport() function in all versions up to, and including, 3.6.15. This makes it possible for unauthenticated attackers to upload text files and PDF documents to the affected site's s

CVE-2025-1572 [HIGH] CWE-89 CVE-2025-1572: The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL In The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_id’ parameter in all versions up to, and including, 3.6.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with

CVE-2024-11728 [HIGH] CWE-89 CVE-2024-11728: The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL In The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'visit_type[service_id]' parameter of the tax_calculated_data AJAX action in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query

CVE-2024-11729 [MEDIUM] CWE-89 CVE-2024-11729: The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL In The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'service_list[0][service_id]' parameter of the get_widget_payment_options AJAX action in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the exis

CVE-2024-11730 [MEDIUM] CWE-89 CVE-2024-11730: The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL In The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'sort[]' parameter of the static_data_list AJAX action in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it p