WP-Safety

KiviCare – Clinic & Patient Management System (EHR) Security & Risk Analysis

wordpress.org/plugins/kivicare-clinic-management-system

KiviCare is an impressive clinic and patient management plugin (EHR).

2K active installs v4.2.0 PHP 8.0+ WP 3.0.1+ Updated Mar 2, 2026
appointment-managementclinic-managementclinic-management-solutiondoctor-managementpatient-management
82
B · Generally Safe
CVEs total17
Unpatched0
Last CVEMar 23, 2026
Plugin page Download
Safety Verdict

Is KiviCare – Clinic & Patient Management System (EHR) Safe to Use in 2026?

Mostly Safe

Score 82/100

KiviCare – Clinic & Patient Management System (EHR) is generally safe to use. 17 past CVEs were resolved. Keep it updated.

17 known CVEsLast CVE: Mar 23, 2026Updated 1mo ago
Risk Assessment

The static analysis of kivicare-clinic-management-system v4.2.0 shows a generally good security posture in terms of its current code, with no identified critical or high severity taint flows and a high percentage of SQL queries using prepared statements and output being properly escaped. The attack surface appears minimal in terms of direct entry points like AJAX handlers, REST API routes, and shortcodes. However, the plugin's history of 13 known CVEs, including a critical and a high severity vulnerability, is a significant concern and indicates a pattern of past security weaknesses. The types of past vulnerabilities, such as SQL Injection, Authorization Bypass, and Cross-Site Scripting, suggest that the plugin has struggled with proper input sanitization and authorization enforcement in its development history. While the current version seems to have addressed immediate code-level risks, the historical context and the presence of a bundled library (dompdf) that could potentially be outdated or contain its own vulnerabilities warrant careful consideration. The existence of cron events without explicit mention of authentication checks on their handlers also presents a potential, albeit unquantified, risk. Overall, the plugin exhibits strengths in its current coding practices but is significantly weakened by its past vulnerability record and the potential for undiscovered issues within bundled libraries or less scrutinized components like cron events.

Key Concerns

  • History of 13 known CVEs
  • Critical severity past CVE
  • High severity past CVE
  • Bundled library: dompdf
  • Cron events without explicit auth check
Vulnerabilities
17

KiviCare – Clinic & Patient Management System (EHR) Security Vulnerabilities

CVEs by Year

1 CVE in 2022
2022
4 CVEs in 2023
2023
4 CVEs in 2024
2024
2 CVEs in 2025
2025
6 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
1
High
3
Medium
13

17 total CVEs

CVE-2026-25383medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

KiviCare – Clinic & Patient Management System (EHR) <= 3.6.16 - Reflected Cross-Site Scripting

Mar 23, 2026 Patched in 4.0.0 (4d)
CVE-2026-25034medium · 5.3Missing Authorization

KiviCare – Clinic & Patient Management System (EHR) <= 3.6.16 - Missing Authorization

Mar 23, 2026 Patched in 4.0.0 (11d)
CVE-2026-2991high · 7.3Improper Authentication

KiviCare – Clinic & Patient Management System (EHR) <= 4.1.2 - Unauthenticated Authentication Bypass via Social Login Token

Mar 17, 2026 Patched in 4.1.3 (8d)
CVE-2026-2992high · 8.2Missing Authorization

KiviCare <= 4.1.2 - Missing Authorization to Unauthenticated Privilege Escalation via Setup Wizard

Mar 17, 2026 Patched in 4.1.3 (2d)
CVE-2026-25022medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

KiviCare <= 3.6.16 - Authenticated (Receptionist+) SQL Injection

Feb 1, 2026 Patched in 4.0.0 (8d)
CVE-2026-0927medium · 5.3Missing Authorization

KiviCare – Clinic & Patient Management System (EHR) <= 3.6.15 - Missing Authorization to Unauthenticated Limited Arbitrary File Upload

Jan 22, 2026 Patched in 3.6.16 (1d)
CVE-2025-66095medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

KiviCare <= 3.6.13 - Authenticated (Patient+) SQL Injection

Nov 27, 2025 Patched in 3.6.14 (5d)
CVE-2025-1572medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

KiviCare – Clinic & Patient Management System (EHR) <= 3.6.7 - Authenticated (Doctor+) SQL Injection via 'u_id' Parameter

Feb 27, 2025 Patched in 3.6.8 (1d)
CVE-2024-11730medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

KiviCare – Clinic & Patient Management System (EHR) <= 3.6.4 - Authenticated (Doctor/Receptionist+) SQL Injection

Dec 5, 2024 Patched in 3.6.5 (1d)
CVE-2024-11728high · 7.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

KiviCare – Clinic & Patient Management System (EHR) <= 3.6.4 - Unauthenticated SQL Injection

Dec 5, 2024 Patched in 3.6.5 (1d)
CVE-2024-11729medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

KiviCare – Clinic & Patient Management System (EHR) <= 3.6.4 - Authenticated (Subscriber+) SQL Injection

Dec 5, 2024 Patched in 3.6.5 (1d)
CVE-2024-35659medium · 4.3Authorization Bypass Through User-Controlled Key

KiviCare <= 3.6.6 - Authenticated (Patient+) Insecure Direct Object Reference

Jun 3, 2024 Patched in 3.6.7 (242d)
CVE-2023-2623medium · 6.5Exposure of Sensitive Information to an Unauthorized Actor

KiviCare – Clinic & Patient Management System (EHR) <= 3.2.0 - Sensitive Information Exposure

Jun 5, 2023 Patched in 3.2.1 (232d)
CVE-2023-2628medium · 6.5Cross-Site Request Forgery (CSRF)

KiviCare – Clinic & Patient Management System (EHR) <= 3.2.0 - Cross-Site Request Forgery

Jun 5, 2023 Patched in 3.2.1 (232d)
CVE-2023-2627medium · 5.4Missing Authorization

KiviCare – Clinic & Patient Management System (EHR) <= 3.2.0 - Missing Authorization

Jun 5, 2023 Patched in 3.2.1 (232d)
CVE-2023-2624medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

KiviCare <= 3.2.0 - Reflected Cross-Site Scripting via 'filterType'

Jun 5, 2023 Patched in 3.2.1 (232d)
CVE-2022-0786critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

KiviCare – Clinic & Patient Management System (EHR) <= 2.3.8 - SQL Injection

May 23, 2022 Patched in 2.3.9 (610d)
Code Analysis
Analyzed Mar 16, 2026

KiviCare – Clinic & Patient Management System (EHR) Code Analysis

Dangerous Functions
0
Raw SQL Queries
71
119 prepared
Unescaped Output
57
518 escaped
Nonce Checks
3
Capability Checks
15
File Operations
11
External Requests
6
Bundled Libraries
1

Bundled Libraries

dompdf

SQL Query Safety

63% prepared190 total queries

Output Escaping

90% escaped575 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
handleExportDownload (app\helpers\KCExportHelper.php:107)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

KiviCare – Clinic & Patient Management System (EHR) Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 90
actionwp_enqueue_scriptsapp\abstracts\KCShortcodeAbstract.php:98
actionadmin_menuapp\admin\AdminMenu.php:19
actionadmin_footerapp\admin\AdminMenu.php:92
filterrewrite_rules_arrayapp\admin\KCDashboardPermalinkHandler.php:36
filterquery_varsapp\admin\KCDashboardPermalinkHandler.php:37
filtertemplate_includeapp\admin\KCDashboardPermalinkHandler.php:38
actioninitapp\admin\KCDashboardPermalinkHandler.php:39
filtershow_admin_barapp\admin\KCDashboardPermalinkHandler.php:190
actionwp_enqueue_scriptsapp\admin\KCDashboardPermalinkHandler.php:194
filterheartbeat_settingsapp\admin\KCDashboardPermalinkHandler.php:237
actioninitapp\baseClasses\KCApp.php:45
actioninitapp\baseClasses\KCApp.php:47
actioninitapp\baseClasses\KCApp.php:49
actioninitapp\baseClasses\KCApp.php:51
actionrest_api_initapp\baseClasses\KCApp.php:53
actionrest_api_initapp\baseClasses\KCApp.php:54
actionplugins_loadedapp\baseClasses\KCApp.php:57
actioninitapp\baseClasses\KCApp.php:60
actionplugins_loadedapp\baseClasses\KCApp.php:63
filterauthenticateapp\baseClasses\KCApp.php:65
filterdetermine_current_userapp\baseClasses\KCApp.php:68
filterwoocommerce_rest_check_permissionsapp\baseClasses\KCApp.php:71
actioninitapp\baseClasses\KCApp.php:88
filtercron_schedulesapp\baseClasses\KCApp.php:89
filterlogin_redirectapp\baseClasses\KCApp.php:101
filterinitapp\baseClasses\KCApp.php:103
filterajax_query_attachments_argsapp\baseClasses\KCApp.php:106
actionelementor/elements/categories_registeredapp\baseClasses\KCApp.php:215
actionelementor/widgets/registerapp\baseClasses\KCApp.php:218
actioninitapp\baseClasses\KCPermissions.php:548
actioninitapp\blocks\KCBlocksRegister.php:19
actionenqueue_block_editor_assetsapp\blocks\KCBlocksRegister.php:20
filterblock_categories_allapp\blocks\KCBlocksRegister.php:21
actionset_logged_in_cookieapp\controllers\api\AuthController.php:780
actionset_logged_in_cookieapp\controllers\api\AuthController.php:1415
actionrest_api_initapp\controllers\api\SettingsController\GoogleEventTemplate.php:30
actionkc_doctor_saveapp\controllers\filters\KCDoctorControllerFilters.php:18
actionkc_doctor_updateapp\controllers\filters\KCDoctorControllerFilters.php:19
filterkc_doctor_dataapp\controllers\filters\KCDoctorControllerFilters.php:20
actionkc_patient_saveapp\controllers\filters\KCPatientControllerFilters.php:18
actionkc_patient_updateapp\controllers\filters\KCPatientControllerFilters.php:19
filterkc_patient_dataapp\controllers\filters\KCPatientControllerFilters.php:20
actionrest_api_initapp\controllers\KCRestAPI.php:85
actioninitapp\emails\KCEmailNotificationInit.php:51
actioninitapp\emails\KCEmailNotificationInit.php:54
filterkivicare_custom_email_key_valueapp\emails\KCEmailNotificationInit.php:57
actionkivicare_send_scheduled_emailapp\emails\KCEmailNotificationInit.php:60
actionkivicare_register_custom_dynamic_keysapp\emails\KCEmailNotificationInit.php:265
filterwp_mail_fromapp\emails\KCEmailSender.php:63
filterwp_mail_from_nameapp\emails\KCEmailSender.php:64
actioninitapp\emails\KCEmailTemplateManager.php:52
actionkc_after_create_appointmentapp\emails\listeners\KCAppointmentNotificationListener.php:50
actionkc_appointment_cancelledapp\emails\listeners\KCAppointmentNotificationListener.php:53
actionkivicare_after_payment_processedapp\emails\listeners\KCAppointmentNotificationListener.php:56
actionkivicare_after_payment_processedapp\emails\listeners\KCAppointmentNotificationListener.php:57
actionkc_appointment_payment_completedapp\emails\listeners\KCAppointmentNotificationListener.php:58
actionkc_appointment_payment_completedapp\emails\listeners\KCAppointmentNotificationListener.php:59
actionkivicare_appointment_updatedapp\emails\listeners\KCAppointmentNotificationListener.php:62
actionkivicare_appointment_confirmedapp\emails\listeners\KCAppointmentNotificationListener.php:63
actionkivicare_appointment_reminderapp\emails\listeners\KCAppointmentNotificationListener.php:66
actionkc_doctor_saveapp\emails\listeners\KCDoctorNotificationListener.php:37
actionkc_encounter_closedapp\emails\listeners\KCEncounterNotificationListener.php:40
actionkc_invoice_generatedapp\emails\listeners\KCInvoiceNotificationListener.php:38
actionkc_appointment_status_updateapp\emails\listeners\KCPatientCheckInNotificationListener.php:40
actionkc_patient_saveapp\emails\listeners\KCPatientNotificationListener.php:37
actionkc_payment_pendingapp\emails\listeners\KCPaymentNotificationListener.php:39
actionkc_payment_overdueapp\emails\listeners\KCPaymentNotificationListener.php:42
actionkc_prescription_createdapp\emails\listeners\KCPrescriptionNotificationListener.php:40
actionkc_prescription_updatedapp\emails\listeners\KCPrescriptionNotificationListener.php:43
actionkc_receptionist_saveapp\emails\listeners\KCReceptionistNotificationListener.php:37
actionkc_user_verifiedapp\emails\listeners\KCUserVerificationNotificationListener.php:36
actionwp_loadedapp\helpers\KCExportHelper.php:21
actionkivicare_cleanup_exportsapp\helpers\KCExportHelper.php:24
filterupload_mimesapp\helpers\KCExportHelper.php:32
actioninitapp\helpers\KCExportHelper.php:35
filterpronamic_payment_redirect_urlapp\paymentGateways\KCKnitPay.php:48
filterwoocommerce_get_cart_item_from_sessionapp\paymentGateways\KCWooCommerce.php:42
actionwoocommerce_checkout_update_order_metaapp\paymentGateways\KCWooCommerce.php:43
actionbefore_delete_postapp\paymentGateways\KCWooCommerce.php:44
actionwoocommerce_new_orderapp\paymentGateways\KCWooCommerce.php:45
actionwoocommerce_checkout_create_order_line_itemapp\paymentGateways\KCWooCommerce.php:46
actionwoocommerce_order_status_changedapp\paymentGateways\KCWooCommerce.php:47
actionwoocommerce_payment_completeapp\paymentGateways\KCWooCommerce.php:48
actionwoocommerce_order_status_failedapp\paymentGateways\KCWooCommerce.php:49
actionwoocommerce_cart_calculate_feesapp\paymentGateways\KCWooCommerce.php:50
filterwoocommerce_order_item_needs_processingapp\paymentGateways\KCWooCommerce.php:51
actionkivicare_wc_auto_cancel_appointmentapp\paymentGateways\KCWooCommerce.php:55
actioninitkivicare-clinic-management-system.php:71
actionplugins_loadedkivicare-clinic-management-system.php:82
actionadmin_noticeskivicare-clinic-management-system.php:145

Scheduled Events 1

kivicare_cleanup_exports
Maintenance & Trust

KiviCare – Clinic & Patient Management System (EHR) Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 2, 2026
PHP min version8.0
Downloads114K

Community Trust

Rating70/100
Number of ratings22
Active installs2K
Alternatives

KiviCare – Clinic & Patient Management System (EHR) Alternatives

BMA Lite – Appointment Booking and Scheduling

BMA Lite – Appointment Booking and Scheduling

bma-lite-appointment-booking-and-scheduling

A
99

The BMA Lite - Appointment Booking and Scheduling Plugin is a lite version of BMA - WordPress Appointment Booking Plugin for Enterprise.

10 1 CVE
Developer Profile

KiviCare – Clinic & Patient Management System (EHR) Developer Profile

Iqonic Design

5 plugins · 17K total installs

82
trust score
Avg Security Score
92/100
Avg Patch Time
82 days
View full developer profile
Detection Fingerprints

How We Detect KiviCare – Clinic & Patient Management System (EHR)

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/kivicare-clinic-management-system/assets/css/kivicare-clinic-management-system-public.css/wp-content/plugins/kivicare-clinic-management-system/assets/css/kivicare-clinic-management-system-rtl.css/wp-content/plugins/kivicare-clinic-management-system/assets/js/kivicare-clinic-management-system-public.js/wp-content/plugins/kivicare-clinic-management-system/assets/js/kivicare-clinic-management-system-rtl.js
Script Paths
kivicare-clinic-management-system/assets/js/kivicare-clinic-management-system-public.jskivicare-clinic-management-system/assets/js/kivicare-clinic-management-system-rtl.js
Version Parameters
kivicare-clinic-management-system/assets/css/kivicare-clinic-management-system-public.css?ver=kivicare-clinic-management-system/assets/css/kivicare-clinic-management-system-rtl.css?ver=kivicare-clinic-management-system/assets/js/kivicare-clinic-management-system-public.js?ver=kivicare-clinic-management-system/assets/js/kivicare-clinic-management-system-rtl.js?ver=

HTML / DOM Fingerprints

CSS Classes
kivicare-clinic-management-system-wrapperkivicare-appointmentskivicare-patient-registrationkivicare-doctor-profilekivicare-dashboardkivicare-booking
Data Attributes
data-kivicare-modal
JS Globals
kiviCare_current_urlkiviCare_ajax_urlKIVICARE_NAMESPACE
Shortcode Output
[kivicare_booking][kivicare_patient_registration][kivicare_doctor_directory][kivicare_appointments]
FAQ

Frequently Asked Questions about KiviCare – Clinic & Patient Management System (EHR)