PT-2026-26071 · WordPress · Kivicare – Clinic & Patient Management System
Athiwat Tiprasaharn
+1
·
Published
2026-03-18
·
Updated
2026-03-18
·
CVE-2026-2992
CVSS v3.1
8.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress versions up to and including 4.1.2
Description
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress has a flaw that allows unauthenticated attackers to create a new clinic and a WordPress user with clinic admin privileges. This is due to a missing authorization check on the
/wp-json/kivicare/v1/setup-wizard/clinic API endpoint. The setup-wizard functionality is affected, allowing attackers to bypass intended access controls.Recommendations
Update the KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress to a version later than 4.1.2.
Fix
LPE
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kivicare – Clinic & Patient Management System