CVE-2026-2992
Received Received - Intake
Privilege Escalation in KiviCare Plugin via Unauthenticated REST API

Publication date: 2026-03-18

Last updated on: 2026-03-18

Assigner: Wordfence

Description
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization on the `/wp-json/kivicare/v1/setup-wizard/clinic` REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to create a new clinic and a WordPress user with clinic admin privileges.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-18
Generated
2026-06-19
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-18
NVD
CVE-2026-2992
EUVD
EUVD-2026-12839
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
iqonicdesign kivicare_clinic_management_system to 4.1.2 (inc)
kivicare kivicare to 4.1.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress has a vulnerability due to missing authorization on the /wp-json/kivicare/v1/setup-wizard/clinic REST API endpoint in all versions up to and including 4.1.2.

This lack of authorization allows unauthenticated attackers to create a new clinic and a WordPress user with clinic admin privileges.

Impact Analysis

Because attackers can create a new clinic and a WordPress user with clinic admin privileges without authentication, they can gain elevated access to the system.

This privilege escalation can lead to unauthorized control over clinic data and management functions, potentially compromising sensitive patient and clinic information.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves unauthorized access to the `/wp-json/kivicare/v1/setup-wizard/clinic` REST API endpoint allowing creation of a new clinic and a WordPress user with clinic admin privileges. To detect exploitation attempts on your network or system, you can monitor HTTP requests targeting this specific REST API endpoint.

  • Use web server access logs to search for requests to `/wp-json/kivicare/v1/setup-wizard/clinic`.
  • Example command to check Apache or Nginx logs for suspicious POST requests:
  • grep -i "/wp-json/kivicare/v1/setup-wizard/clinic" /var/log/apache2/access.log
  • grep -i "/wp-json/kivicare/v1/setup-wizard/clinic" /var/log/nginx/access.log
  • Look for POST requests without authentication or from unknown IP addresses.
  • Use intrusion detection systems (IDS) or web application firewalls (WAF) to alert on requests to this endpoint.
Mitigation Strategies

The primary mitigation is to update the KiviCare – Clinic & Patient Management System plugin to version 4.1.3 or later, where the missing authorization check on the vulnerable REST API endpoint has been fixed.

  • Update the plugin to version 4.1.3 or newer as soon as possible.
  • If immediate update is not possible, restrict access to the `/wp-json/kivicare/v1/setup-wizard/clinic` endpoint by IP or authentication at the web server or firewall level.
  • Monitor logs for suspicious activity targeting this endpoint.
  • Consider temporarily disabling the plugin if the risk is high and update cannot be applied immediately.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2992. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart