CVE-2026-15073 in KiviCare Plugin
Summary
by MITRE • 07/11/2026
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including, 4.5.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Doctor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Exploitation requires a KiviCare Doctor, Receptionist, or Clinic Admin role at minimum, as the vulnerable REST endpoint is restricted to authenticated users with custom plugin-level access.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/11/2026
The vulnerability identified in the KiviCare – Clinic & Patient Management System WordPress plugin represents a critical generic SQL injection flaw that undermines the security integrity of healthcare data management systems. This weakness exists within version 4.5.0 and all prior releases, creating a persistent risk for organizations utilizing this electronic health record solution. The vulnerability specifically manifests through the 'orderby' parameter in REST API endpoints, where inadequate input sanitization allows malicious actors to manipulate database queries through authenticated access points. The flaw stems from insufficient escaping of user-supplied parameters combined with inadequate preparation of existing SQL statements, creating an exploitable pathway for data extraction attacks.
The operational impact of this vulnerability extends beyond simple data exposure, as it affects the core patient management functionality of healthcare providers who depend on the plugin for clinical operations. Attackers with Doctor-level access or higher can leverage this weakness to execute unauthorized database queries that may reveal sensitive patient information including medical records, personal identifiers, treatment histories, and administrative details. The vulnerability's restriction to authenticated users with specific roles such as Doctors, Receptionists, or Clinic Admins does not diminish its severity, as these positions typically possess extensive access to patient data and system functionalities. This authentication requirement actually makes the attack vector more insidious since it operates within legitimate user permissions, potentially evading detection mechanisms that monitor for unusual external access patterns.
From a cybersecurity perspective, this vulnerability aligns with CWE-89 which categorizes SQL injection as a fundamental weakness in data handling procedures where untrusted data is incorporated into database queries without proper sanitization. The attack pattern conforms to ATT&CK technique T1071.004 for application layer protocol manipulation, specifically targeting web application interfaces to achieve unauthorized data access. The exploitation process requires minimal privileges but significant system access, making it particularly dangerous in healthcare environments where insider threats are a recognized concern. Organizations implementing this plugin face potential compliance violations under regulations such as HIPAA, GDPR, and similar data protection frameworks due to the exposure of sensitive health information through this vulnerability.
Mitigation strategies should include immediate patching to version 4.5.1 or later, which addresses the SQL injection weakness through proper input validation and parameterized query construction. Network segmentation and access control measures should be implemented to restrict unnecessary administrative privileges within the plugin environment. Regular security audits of custom WordPress plugins should be conducted to identify similar vulnerabilities in other healthcare management systems. Additional defensive measures include implementing database query monitoring, establishing robust authentication controls for administrative functions, and maintaining comprehensive logging of all user activities within the KiviCare system. Organizations should also consider deploying web application firewalls to detect and block malicious SQL injection attempts targeting the vulnerable REST endpoints, ensuring that unauthorized queries cannot be executed even if the underlying vulnerability remains unpatched temporarily.