CVE-2026-2991 in KiviCare Plugin
Summary
by MITRE • 03/18/2026
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.1.2. This is due to the `patientSocialLogin()` function not verifying the social provider access token before authenticating a user. This makes it possible for unauthenticated attackers to log in as any patient registered on the system by providing only their email address and an arbitrary value for the access token, bypassing all credential verification. The attacker gains access to sensitive medical records, appointments, prescriptions, and billing information (PII/PHI breach). Additionally, authentication cookies are set before the role check, meaning the auth cookies for non-patient users (including administrators) are also set in the HTTP response headers, even though a 403 response is returned.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability identified in CVE-2026-2991 affects the KiviCare – Clinic & Patient Management System plugin for WordPress, a widely used electronic health records system that manages patient data and clinical workflows. This authentication bypass flaw exists in all versions up to and including 4.1.2, representing a critical security weakness that directly compromises patient privacy and system integrity. The vulnerability stems from improper access control implementation within the patient social login functionality, which creates a fundamental flaw in the plugin's authentication mechanism and exposes sensitive healthcare information to unauthorized parties.
The technical root cause lies within the `patientSocialLogin()` function which fails to validate the social provider access token before proceeding with user authentication. This function operates without proper token verification, allowing attackers to bypass all credential checks by simply submitting a patient's email address along with any arbitrary access token value. The flaw constitutes a classic authentication bypass vulnerability classified under CWE-287, which specifically addresses improper authentication mechanisms in software systems. The absence of token validation creates a condition where the system accepts any valid email address paired with an invalid token, effectively granting unauthorized access to patient accounts. This vulnerability enables attackers to gain access to comprehensive patient medical records, appointment schedules, prescription details, and financial billing information, representing a significant breach of personally identifiable information and protected health information.
The operational impact of this vulnerability extends beyond simple unauthorized access to include potential administrative account compromise through the flawed cookie setting mechanism. The system incorrectly sets authentication cookies in HTTP response headers before performing role verification checks, meaning that even when a 403 unauthorized response is ultimately returned, the authentication cookies for non-patient users including administrators have already been established. This creates a dangerous situation where attackers can potentially maintain persistent access to administrative functions despite receiving error responses, effectively enabling privilege escalation and comprehensive system compromise. The vulnerability affects the confidentiality and integrity of healthcare data as outlined in the HIPAA Security Rule, creating exposure to data breaches that could result in significant regulatory penalties and reputational damage for healthcare organizations.
Mitigation strategies should prioritize immediate plugin version updates to the latest secure release, as this represents the most effective defense against the identified vulnerability. Organizations must implement comprehensive access control measures including proper token validation mechanisms and role-based access controls to prevent similar issues in the future. Security monitoring should include detection of unauthorized authentication attempts and cookie manipulation patterns. The vulnerability aligns with ATT&CK technique T1078.004 which covers valid accounts used for unauthorized access, and T1566 which addresses credential harvesting through social engineering. Additionally, organizations should consider implementing multi-factor authentication, network segmentation, and regular security audits of third-party plugins to prevent exploitation of similar authentication bypass vulnerabilities. The flaw demonstrates the critical importance of proper input validation and authentication flow implementation, particularly in healthcare applications where patient privacy and data security are paramount requirements.