Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total4
Critical1
High1
Medium2
Reset
Showing 1-4 of 4 records
Threat Entry Updated 2026-04-08

CVE-2026-2991 - Kivicare Clinic Management System Plugin

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.1.2. This is due to the `patientSocialLogin()` function not verifying the social provider access token before authenticating a user. This makes it possible for unauthenticated attackers to log in as any patient registered on the system by providing only their email address and an arbitrary value for the access token, bypassing all credential verification. The attacker gains access to sensitive medical records, appointments, prescriptions, and billing…

PLUGIN Kivicare Clinic Management System

CVE-2026-2991

CRITICAL CVSS 9.8 2026-03-18
Open Full Technical Breakdown
Threat Entry Updated 2026-03-19

CVE-2026-2992 - Kivicare Clinic Management System Plugin

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization on the `/wp-json/kivicare/v1/setup-wizard/clinic` REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to create a new clinic and a WordPress user with clinic admin privileges.

PLUGIN Kivicare Clinic Management System

CVE-2026-2992

HIGH CVSS 8.2 2026-03-18
Open Full Technical Breakdown
Threat Entry Updated 2026-04-15

CVE-2026-0927 - Kivicare Clinic Management System Plugin

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport() function in all versions up to, and including, 3.6.15. This makes it possible for unauthenticated attackers to upload text files and PDF documents to the affected site's server which may be leveraged for further attacks such as hosting malicious content or phishing pages via PDF files.

PLUGIN Kivicare Clinic Management System

CVE-2026-0927

MEDIUM CVSS 5.3 2026-01-23
Open Full Technical Breakdown
Threat Entry Updated 2025-03-06

CVE-2025-1572 - Kivicare Clinic Management System Plugin

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_id’ parameter in all versions up to, and including, 3.6.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with doctor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

PLUGIN Kivicare Clinic Management System

CVE-2025-1572

MEDIUM CVSS 6.5 2025-02-28
Open Full Technical Breakdown
Scroll to top