{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T18:37:26.332","vulnerabilities":[{"cve":{"id":"CVE-2026-0927","sourceIdentifier":"security@wordfence.com","published":"2026-01-23T06:15:50.480","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport() function in all versions up to, and including, 3.6.15. This makes it possible for unauthenticated attackers to upload text files and PDF documents to the affected site's server which may be leveraged for further attacks such as hosting malicious content or phishing pages via PDF files."},{"lang":"es","value":"El plugin KiviCare – Sistema de Gestión de Clínicas y Pacientes (EHR) para WordPress es vulnerable a subidas arbitrarias de archivos debido a la falta de comprobaciones de autorización en la función uploadMedicalReport() en todas las versiones hasta la 3.6.15, inclusive. Esto hace posible que atacantes no autenticados suban archivos de texto y documentos PDF al servidor del sitio afectado, lo que puede ser aprovechado para ataques adicionales como alojar contenido malicioso o páginas de phishing a través de archivos PDF."}],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}]},"weaknesses":[{"source":"security@wordfence.com","type":"Secondary","description":[{"lang":"en","value":"CWE-862"}]}],"references":[{"url":"https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/tags/3.6.15/app/controllers/KCAppointmentController.php#L1328","source":"security@wordfence.com"},{"url":"https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/KCAppointmentController.php#L1328","source":"security@wordfence.com"},{"url":"https://plugins.trac.wordpress.org/changeset/3443088/kivicare-clinic-management-system/trunk/app/controllers/KCAppointmentController.php","source":"security@wordfence.com"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/489931ef-bac3-4de8-84ec-6f226d96f778?source=cve","source":"security@wordfence.com"}]}}]}