CVE-2026-2991
Authentication Bypass in KiviCare Plugin Exposes Patient Data
Publication date: 2026-03-18
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kivicare | kivicare_clinic_management_system | to 4.1.2 (inc) |
| kivicare | kivicare | to 4.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the KiviCare Clinic & Patient Management System WordPress plugin (up to version 4.1.2) is an Authentication Bypass. It occurs because the function patientSocialLogin() does not verify the social provider access token before authenticating a user.
This flaw allows an unauthenticated attacker to log in as any patient registered on the system by simply providing the patient's email address and an arbitrary access token value, bypassing all credential checks.
Additionally, authentication cookies are set before user role checks, which means even non-patient users (including administrators) receive authentication cookies in HTTP response headers despite a 403 Forbidden response.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows attackers to gain unauthorized access to sensitive patient information.
- Attackers can access sensitive medical records, appointments, prescriptions, and billing information.
- It leads to breaches of Personally Identifiable Information (PII) and Protected Health Information (PHI).
- Unauthorized access to administrator accounts may also be possible due to authentication cookies being set before role verification.
Overall, this can result in data theft, privacy violations, and potential disruption of healthcare services.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by attempting to authenticate using the vulnerable KiviCare plugin's API login endpoint without valid credentials, specifically by providing a patient's email address and an arbitrary access token value."}, {'type': 'paragraph', 'content': "Since the vulnerability involves the `patientSocialLogin()` function not verifying the social provider access token, a test can be performed by sending crafted HTTP POST requests to the `/auth/login` REST API endpoint with a patient's email and an arbitrary token to see if authentication is granted."}, {'type': 'paragraph', 'content': 'Commands using curl to test this might look like the following example:'}, {'type': 'list_item', 'content': 'curl -X POST https://your-kivicare-site.com/wp-json/kivicare/v1/auth/login -d \'{"email":"[email protected]","access_token":"arbitraryvalue"}\' -H \'Content-Type: application/json\''}, {'type': 'paragraph', 'content': 'If the response indicates successful authentication without valid credentials, the vulnerability is present.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the KiviCare plugin to a version later than 4.1.2 where this vulnerability is fixed.
If an update is not immediately possible, restrict access to the vulnerable API endpoints by implementing firewall rules or access controls to limit requests to trusted IP addresses.
Additionally, monitor authentication logs for suspicious login attempts using arbitrary access tokens and unusual email addresses.
Enabling Google reCAPTCHA verification on authentication endpoints, if supported and configured, can help mitigate automated exploitation attempts.