CVE-2026-2991

Name of the Vulnerable Software and Affected Versions KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress versions up to and including 4.1.2

Description The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is susceptible to Authentication Bypass. This occurs because the patientSocialLogin() function does not validate the social provider access token before authenticating a user. This allows unauthenticated attackers to log in as any registered patient by providing only their email address and an arbitrary value for the access token, bypassing credential verification. Successful exploitation grants access to sensitive medical records, appointments, prescriptions, and billing information, resulting in a potential PII/PHI breach. Authentication cookies are also set for non-patient users, including administrators, even when a 403 response is returned. The vulnerable parameter is the access token used in the patientSocialLogin() function.

Recommendations Versions up to and including 4.1.2 should be updated to a newer, fixed version if available. As a temporary workaround, consider disabling the patientSocialLogin() function until a patch is available.