SQL Injection Vulnerability in KiviCare Clinic & Patient Management System by WordPress
CVE-2026-15073
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 11 July 2026
What is CVE-2026-15073?
The KiviCare β Clinic & Patient Management System plugin for WordPress has a vulnerability that allows authenticated users with Doctor-level access and above to exploit an SQL injection flaw. This issue arises from inadequate escaping of the 'orderby' parameter and poor preparation in SQL query execution. Through this vulnerability, attackers can inject malicious SQL queries into existing ones, potentially leading to the exposure of sensitive database information. Since the vulnerable REST endpoint requires specific user roles such as Doctor, Receptionist, or Clinic Admin, the risk is primarily within authenticated users, emphasizing the need for stringent access controls and secure coding practices.
Affected Version(s)
KiviCare β Clinic & Patient Management System (EHR) 0 <= 4.5.0