CVE-2026-2992 in KiviCare Plugin
Summary
by MITRE • 03/18/2026
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization on the `/wp-json/kivicare/v1/setup-wizard/clinic` REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to create a new clinic and a WordPress user with clinic admin privileges.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability identified as CVE-2026-2992 affects the KiviCare – Clinic & Patient Management System plugin for WordPress, a widely used electronic health records solution designed for healthcare facilities. This plugin facilitates clinic management and patient data handling through a comprehensive web-based interface. The security flaw manifests within the plugin's REST API implementation, specifically targeting the setup wizard functionality that should normally require administrative authentication to access. The vulnerability exists in all versions up to and including 4.1.2, representing a critical oversight in the plugin's access control mechanisms. The affected endpoint at `/wp-json/kivicare/v1/setup-wizard/clinic` lacks proper authorization checks, creating an exploitable pathway for malicious actors to bypass normal authentication requirements.
The technical exploitation of this vulnerability stems from the absence of proper authentication validation within the REST API endpoint. When an attacker sends a request to the specified endpoint without any authentication credentials, the system processes the request and creates both a new clinic entry in the database along with a corresponding WordPress user account. This newly created user is automatically assigned administrative privileges for the clinic, effectively granting the attacker full control over the clinic's data and operations. The flaw represents a classic privilege escalation vulnerability where unauthenticated users can gain elevated access rights through improperly protected API endpoints. This issue aligns with CWE-285, which addresses improper authorization in software systems, and demonstrates how REST API endpoints can become attack vectors when proper access controls are omitted.
The operational impact of this vulnerability extends beyond simple unauthorized access, as it allows attackers to establish persistent administrative control over healthcare facilities' digital infrastructure. An attacker could create multiple clinic accounts and user profiles, potentially leading to data manipulation, unauthorized patient record access, or even complete system compromise. The vulnerability particularly affects healthcare organizations that rely on WordPress-based systems for patient management, as it undermines the integrity of their electronic health record systems. The implications are severe given that healthcare data is highly sensitive and regulated under various compliance frameworks such as HIPAA, making unauthorized access not just a security breach but a potential regulatory violation. The vulnerability creates a persistent backdoor that attackers can use to maintain access and escalate privileges over time.
Mitigation strategies for this vulnerability require immediate action from system administrators and healthcare IT teams. The most effective immediate solution involves updating the KiviCare plugin to version 4.1.3 or later, which includes the necessary authorization checks for the affected REST API endpoint. Organizations should also implement network-level restrictions to limit access to the WordPress REST API endpoints, particularly those related to setup and administrative functions. Security monitoring should be enhanced to detect unusual API access patterns and unauthorized user creation attempts. Additionally, implementing proper authentication mechanisms such as two-factor authentication and role-based access controls can help reduce the risk of exploitation. Organizations should also consider disabling the REST API entirely if it is not required for their specific use case, as recommended in the ATT&CK framework for reducing attack surface. Regular security audits and vulnerability assessments should be conducted to identify similar authorization gaps in other plugins and themes that might be present in the WordPress environment.