Skip to main content

KiviCare EHR CVE-2026-15073

| EUVDEUVD-2026-43121 MEDIUM
SQL Injection (CWE-89)
2026-07-11 Wordfence GHSA-hvqv-gc8j-r5g2
6.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network REST API endpoint (AV:N), no special conditions beyond role possession (AC:L), requires plugin-specific authenticated role (PR:L); read-only ORDER BY injection yields confidentiality impact only (C:H/I:N/A:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 03:54 vuln.today
CVE Published
Jul 11, 2026 - 02:31 cve.org
MEDIUM 6.5

DescriptionCVE.org

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including, 4.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Doctor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires a KiviCare Doctor, Receptionist, or Clinic Admin role at minimum, as the vulnerable REST endpoint is restricted to authenticated users with custom plugin-level access.

AnalysisAI

SQL injection in the KiviCare - Clinic & Patient Management System (EHR) WordPress plugin through version 4.5.0 enables authenticated clinic users to extract arbitrary data from the underlying database via a manipulated 'orderby' REST API parameter. The flaw resides in DoctorSessionController.php (lines 648 and 660) where user-supplied sort values are concatenated into queries without escaping or prepared-statement protections, cascading through KCQueryBuilder.php. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain KiviCare Doctor/Receptionist/Clinic Admin credential
Delivery
Authenticate to WordPress REST API
Exploit
Craft malicious 'orderby' parameter payload
Execution
Submit request to DoctorSessionController endpoint
Persist
KCQueryBuilder appends unsanitized input to SQL ORDER BY
Impact
Extract sensitive patient or credential data from database

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress account that has been assigned one of three KiviCare plugin-specific roles: Doctor, Receptionist, or Clinic Admin. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) scores 6.5 and accurately characterizes the attack: network-reachable, low complexity, low-privilege authenticated, no scope change, confidentiality-only impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds a KiviCare Doctor or Receptionist account - whether a malicious insider or an external actor who has compromised a staff credential - authenticates to the WordPress REST API and submits a crafted GET or POST request to the DoctorSessionController endpoint with a payload such as 'orderby=id,(SELECT+1+FROM+(SELECT+SLEEP(5))x)' or a UNION-based extraction string. Because the parameter is appended directly into the ORDER BY clause via KCQueryBuilder, the injected SQL executes against the WordPress database and can return patient records, appointment data, or credential hashes. …
Remediation An upstream fix has been committed to the WordPress plugin repository as changeset 3602561 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3602561%40kivicare-clinic-management-system&new=3602561%40kivicare-clinic-management-system); however, the exact patched release version is not independently confirmed from available data - update to any version released after 4.5.0 once available in the WordPress plugin directory. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15073 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy