Perceptive Security
SOC/SIEM Consultancy
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.1.2.…
Published:
17 March 2026 at 23:00:00
Alert date:
18 March 2026 at 17:03:14
Source:
nvd.nist.gov
Web Technologies, Identity & Access, Data Breach & Exfiltration
The KiviCare Clinic & Patient Management System plugin for WordPress contains a critical authentication bypass vulnerability in versions up to 4.1.2. The patientSocialLogin() function fails to verify social provider access tokens, allowing attackers to authenticate as any patient using only an email address and arbitrary token value. This grants unauthorized access to sensitive medical records, appointments, prescriptions, and billing information, constituting a serious PII/PHI breach. The vulnerability also affects authentication cookie handling for non-patient users including administrators.
Technical details
Mitigation steps:
Affected products:
KiviCare Clinic & Patient Management System WordPress Plugin
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-2991
https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/api/AuthController.php#L1852
https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/api/AuthController.php#L284
https://plugins.trac.wordpress.org/changeset/3467409/
https://www.wordfence.com/threat-intel/vulnerabilities/id/8d22448b-aa8e-4775-b7c5-e7bae94a3f6d?source=cve
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.