Description
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.1.2. This is due to the `patientSocialLogin()` function not verifying the social provider access token before authenticating a user. This makes it possible for unauthenticated attackers to log in as any patient registered on the system by providing only their email address and an arbitrary value for the access token, bypassing all credential verification. The attacker gains access to sensitive medical records, appointments, prescriptions, and billing information (PII/PHI breach). Additionally, authentication cookies are set before the role check, meaning the auth cookies for non-patient users (including administrators) are also set in the HTTP response headers, even though a 403 response is returned.
Published: 2026-03-18
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows attackers to authenticate as any patient by supplying an email address and a dummy access token. The plugin’s patientSocialLogin() function fails to validate the social provider token before setting authentication cookies. This bypass grants unauthenticated users full access to protected patient data, including medical records, appointments, prescriptions, and billing information, constituting a PII/PHI breach. The flaw also sets authentication cookies for non‑patient users before performing a role check, leading to unnecessary cookie transmission even when the server responds with a 403 status.

Affected Systems

Any installation of the KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress with a version equal to or older than 4.1.2 is vulnerable.

Risk and Exploitability

The CVSS base score of 7.3 indicates a high level of risk, while the EPSS score of less than 1% denotes a low likelihood of exploitation in the wild. The issue is not listed in CISA’s KEV catalog. Based on the description, the attack vector is unauthenticated via web requests, requiring only a user’s email address, which can be supplied in a crafted HTTP request. No special privileges or configuration are needed to exploit the flaw.

Generated by OpenCVE AI on April 8, 2026 at 18:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest KiviCare plugin version (4.1.3 or later).
  • If an update is unavailable, disable the social login feature or restrict it to trusted scopes.
  • Verify that authentication cookies are not set for unauthorized users by testing 403 responses.
  • Review user login activity logs for suspicious access patterns.
  • If the plugin is not critical, consider removing it entirely until a patch is applied.

Generated by OpenCVE AI on April 8, 2026 at 18:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Iqonicdesign
Iqonicdesign kivicare – Clinic & Patient Management System (ehr)
Wordpress
Wordpress wordpress
Vendors & Products Iqonicdesign
Iqonicdesign kivicare – Clinic & Patient Management System (ehr)
Wordpress
Wordpress wordpress

Wed, 18 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 15:45:00 +0000

Type Values Removed Values Added
Description The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.1.2. This is due to the `patientSocialLogin()` function not verifying the social provider access token before authenticating a user. This makes it possible for unauthenticated attackers to log in as any patient registered on the system by providing only their email address and an arbitrary value for the access token, bypassing all credential verification. The attacker gains access to sensitive medical records, appointments, prescriptions, and billing information (PII/PHI breach). Additionally, authentication cookies are set before the role check, meaning the auth cookies for non-patient users (including administrators) are also set in the HTTP response headers, even though a 403 response is returned.
Title KiviCare – Clinic & Patient Management System (EHR) <= 4.1.2 - Unauthenticated Authentication Bypass via Social Login Token
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Iqonicdesign Kivicare – Clinic & Patient Management System (ehr)
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:06:09.141Z

Reserved: 2026-02-22T20:50:37.905Z

Link: CVE-2026-2991

cve-icon Vulnrichment

Updated: 2026-03-18T16:05:08.503Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-18T16:16:27.400

Modified: 2026-04-08T18:25:59.640

Link: CVE-2026-2991

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:01:30Z

Weaknesses