CVE-2026-0927 is a vulnerability identified in the KiviCare – Clinic & Patient Management System (EHR) WordPress plugin developed by iqonicdesign. The issue arises from a missing authorization check in the uploadMedicalReport() function, which handles the uploading of medical reports such as text files and PDFs. This flaw exists in all versions up to and including 3.6.15. Due to the lack of proper authorization, unauthenticated attackers can remotely upload arbitrary files to the web server hosting the vulnerable plugin. The uploaded files can be benign or malicious, including phishing PDFs or other content that could be used to facilitate further attacks such as social engineering or hosting malware. The vulnerability does not require any privileges or user interaction, making it easier to exploit. The CVSS v3.1 base score is 5.3, indicating a medium severity level. The vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). No patches or known exploits are currently reported, but the vulnerability's presence in a healthcare-related plugin increases its potential risk. The CWE-862 classification highlights the missing authorization as the root cause.

The primary impact of this vulnerability is the unauthorized ability to upload arbitrary files to the affected server, which compromises the integrity of the system. Attackers can upload malicious PDFs or text files that may be used for phishing campaigns or to host malicious content, potentially leading to further compromise of the web server or users interacting with the content. While confidentiality is not directly impacted, the integrity and trustworthiness of the healthcare system's data and services can be undermined. This could disrupt clinical workflows, damage organizational reputation, and expose patients to risks if attackers leverage the vulnerability to distribute malware or conduct social engineering. Given the plugin's use in electronic health record management, any compromise could have serious implications for healthcare providers and patients. The vulnerability is exploitable remotely without authentication, increasing the risk of widespread exploitation if left unmitigated.

Organizations using the KiviCare plugin should immediately verify their plugin version and upgrade to a patched version once available. In the absence of an official patch, administrators should implement strict access controls on the uploadMedicalReport() function, ensuring that only authenticated and authorized users can upload files. Web application firewalls (WAFs) can be configured to block suspicious file upload attempts and restrict allowed file types and sizes. Additionally, scanning uploaded files for malicious content and isolating uploaded files in non-executable directories can reduce risk. Monitoring web server logs for unusual upload activity and conducting regular security audits of the WordPress environment are recommended. Disabling or restricting file upload functionality temporarily until a patch is applied can also mitigate risk. Finally, educating staff about phishing risks related to malicious PDFs can help reduce downstream impacts.