CVE-2026-15072 in KiviCare Plugin
Summary
by MITRE • 07/11/2026
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including, 4.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with doctor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This requires that the attacker hold at minimum a KiviCare Doctor-level account, or a Receptionist or Clinic Admin role that grants the doctor_session_list capability.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/11/2026
The vulnerability in the KiviCare – Clinic & Patient Management System plugin for WordPress represents a critical generic SQL injection flaw that undermines the integrity of the underlying database infrastructure. This security weakness exists within version 4.5.0 and all preceding releases, creating a persistent threat vector that can be exploited by authenticated malicious actors. The flaw specifically manifests through improper handling of the 'orderby' parameter in the plugin's data retrieval mechanisms, where user-supplied input undergoes insufficient sanitization before being incorporated into SQL queries.
The technical implementation of this vulnerability stems from inadequate input validation and escaping procedures within the plugin's database query construction logic. When legitimate users with doctor-level privileges or higher access the system's session listing functionality, the 'orderby' parameter becomes a conduit for malicious SQL injection attempts. The absence of proper prepared statement usage or adequate parameter binding allows attackers to inject arbitrary SQL commands that become seamlessly integrated with existing database queries. This creates a scenario where the original query structure remains intact while additional malicious operations are appended, enabling comprehensive database reconnaissance and data extraction capabilities.
The operational impact of this vulnerability extends beyond simple data theft to encompass potential system compromise and unauthorized access to sensitive patient information. Attackers with minimum doctor-level accounts or equivalent privileges can leverage this weakness to extract confidential medical records, user credentials, session data, and other proprietary information stored within the plugin's database schema. The attack surface is particularly concerning given that the vulnerability requires only relatively low-privilege access levels, making it accessible to individuals who may not have administrative capabilities but possess legitimate healthcare roles within the organization.
Mitigation strategies should prioritize immediate patching of the affected plugin versions to address the root cause through proper input sanitization and parameter binding implementations. Organizations must implement robust access control measures to minimize the attack surface by ensuring that only authorized personnel maintain the necessary privileges for healthcare operations. Additionally, database query logging and monitoring systems should be enhanced to detect anomalous SQL patterns that may indicate exploitation attempts. This vulnerability aligns with CWE-89, which specifically addresses SQL injection weaknesses in software applications, and represents a clear violation of the principle of least privilege as outlined in security best practices. The ATT&CK framework categorizes this as a database access technique where adversaries leverage application vulnerabilities to extract sensitive information from backend systems.
The remediation approach must incorporate comprehensive code review processes to identify similar input handling patterns throughout the plugin's functionality, ensuring that all user-supplied parameters undergo proper validation and sanitization before database interaction. Organizations should also establish proactive monitoring mechanisms that can detect and alert on suspicious database query patterns, providing early warning capabilities for potential exploitation attempts. Regular security assessments of third-party WordPress plugins remain essential for maintaining overall system security posture and preventing similar vulnerabilities from emerging in other components of the healthcare information management ecosystem.