CVE-2026-2992
Privilege Escalation in KiviCare Plugin via Unauthenticated REST API
Publication date: 2026-03-18
Last updated on: 2026-03-18
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iqonicdesign | kivicare_clinic_management_system | to 4.1.2 (inc) |
| kivicare | kivicare | to 4.1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The KiviCare β Clinic & Patient Management System (EHR) plugin for WordPress has a vulnerability due to missing authorization on the /wp-json/kivicare/v1/setup-wizard/clinic REST API endpoint in all versions up to and including 4.1.2.
This lack of authorization allows unauthenticated attackers to create a new clinic and a WordPress user with clinic admin privileges.
How can this vulnerability impact me? :
Because attackers can create a new clinic and a WordPress user with clinic admin privileges without authentication, they can gain elevated access to the system.
This privilege escalation can lead to unauthorized control over clinic data and management functions, potentially compromising sensitive patient and clinic information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized access to the `/wp-json/kivicare/v1/setup-wizard/clinic` REST API endpoint allowing creation of a new clinic and a WordPress user with clinic admin privileges. To detect exploitation attempts on your network or system, you can monitor HTTP requests targeting this specific REST API endpoint.
- Use web server access logs to search for requests to `/wp-json/kivicare/v1/setup-wizard/clinic`.
- Example command to check Apache or Nginx logs for suspicious POST requests:
- grep -i "/wp-json/kivicare/v1/setup-wizard/clinic" /var/log/apache2/access.log
- grep -i "/wp-json/kivicare/v1/setup-wizard/clinic" /var/log/nginx/access.log
- Look for POST requests without authentication or from unknown IP addresses.
- Use intrusion detection systems (IDS) or web application firewalls (WAF) to alert on requests to this endpoint.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to update the KiviCare β Clinic & Patient Management System plugin to version 4.1.3 or later, where the missing authorization check on the vulnerable REST API endpoint has been fixed.
- Update the plugin to version 4.1.3 or newer as soon as possible.
- If immediate update is not possible, restrict access to the `/wp-json/kivicare/v1/setup-wizard/clinic` endpoint by IP or authentication at the web server or firewall level.
- Monitor logs for suspicious activity targeting this endpoint.
- Consider temporarily disabling the plugin if the risk is high and update cannot be applied immediately.