SQL Injection Vulnerability in KiviCare Clinic & Patient Management System by WordPress
CVE-2026-15073

6.5MEDIUM

What is CVE-2026-15073?

The KiviCare – Clinic & Patient Management System plugin for WordPress has a vulnerability that allows authenticated users with Doctor-level access and above to exploit an SQL injection flaw. This issue arises from inadequate escaping of the 'orderby' parameter and poor preparation in SQL query execution. Through this vulnerability, attackers can inject malicious SQL queries into existing ones, potentially leading to the exposure of sensitive database information. Since the vulnerable REST endpoint requires specific user roles such as Doctor, Receptionist, or Clinic Admin, the risk is primarily within authenticated users, emphasizing the need for stringent access controls and secure coding practices.

Affected Version(s)

KiviCare – Clinic & Patient Management System (EHR) 0 <= 4.5.0

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

PRISM
.