CVE-2026-2992 Overview
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress contains a critical privilege escalation vulnerability due to missing authorization checks on the /wp-json/kivicare/v1/setup-wizard/clinic REST API endpoint. This vulnerability affects all versions up to and including 4.1.2, allowing unauthenticated attackers to create new clinics and WordPress user accounts with clinic admin privileges.
Critical Impact
Unauthenticated attackers can gain administrative access to WordPress sites by exploiting the unprotected REST API endpoint to create privileged clinic admin accounts.
Affected Products
- KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress versions up to and including 4.1.2
- WordPress installations with KiviCare plugin enabled
- Healthcare and clinic management systems using KiviCare EHR
Discovery Timeline
- 2026-03-18 - CVE CVE-2026-2992 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-2992
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization) and represents a significant security flaw in the KiviCare plugin's setup wizard functionality. The REST API endpoint responsible for clinic creation lacks proper authentication and authorization checks, allowing any remote attacker to invoke sensitive administrative functions without credentials.
The flaw enables attackers to bypass the normal WordPress user registration and permission system entirely. By sending crafted requests to the vulnerable endpoint, an attacker can instantiate new clinic entities and simultaneously create WordPress user accounts that possess clinic administrator privileges within the KiviCare system.
Root Cause
The root cause of this vulnerability lies in the SetupWizardController.php file, specifically in the clinic setup endpoint implementation. The developers failed to implement proper capability checks or nonce verification before processing requests to create clinics and associated admin users. This is a common pattern in WordPress plugin development where REST API endpoints are exposed without the necessary permission_callback function or equivalent authorization logic.
The affected code can be reviewed in the WordPress Kivicare Code Review and additional endpoint logic.
Attack Vector
The attack is network-based and requires no authentication, making it particularly dangerous for publicly accessible WordPress installations. An attacker can exploit this vulnerability by:
- Identifying a WordPress site running the vulnerable KiviCare plugin
- Sending a crafted POST request to the /wp-json/kivicare/v1/setup-wizard/clinic endpoint
- Including parameters to define a new clinic and an associated admin user account
- Gaining access to the WordPress dashboard with elevated privileges through the newly created account
The vulnerability allows creation of accounts with clinic admin privileges, which may provide access to sensitive patient health information and system configuration options depending on the plugin's role hierarchy and integration depth.
Detection Methods for CVE-2026-2992
Indicators of Compromise
- Unexpected user accounts with clinic administrator roles appearing in WordPress user management
- New clinic entries created without legitimate administrator action
- Unusual POST requests to /wp-json/kivicare/v1/setup-wizard/clinic in web server access logs
- Authentication events for unknown clinic admin accounts
Detection Strategies
- Monitor WordPress REST API logs for requests to the KiviCare setup wizard endpoints
- Implement Web Application Firewall (WAF) rules to detect and block unauthorized access to /wp-json/kivicare/v1/setup-wizard/ paths
- Audit WordPress user creation events for accounts with KiviCare-related roles
- Review server access logs for high volumes of POST requests targeting plugin API endpoints
Monitoring Recommendations
- Enable detailed logging for WordPress REST API activity
- Set up alerts for new user account creations, particularly those with administrative capabilities
- Monitor for changes to the wp_users and wp_usermeta tables related to KiviCare roles
- Implement network-level monitoring for suspicious traffic patterns to WordPress API endpoints
How to Mitigate CVE-2026-2992
Immediate Actions Required
- Update the KiviCare plugin to the latest patched version immediately
- Audit existing WordPress users for any unauthorized clinic admin accounts
- Review recent access logs for evidence of exploitation attempts
- Temporarily disable the KiviCare plugin if immediate patching is not possible
Patch Information
The vulnerability has been addressed in the WordPress Change Set Update. Site administrators should update to the patched version through the WordPress plugin update mechanism. Additional vulnerability details and remediation guidance are available in the Wordfence Vulnerability Analysis.
Workarounds
- Block access to the /wp-json/kivicare/v1/setup-wizard/ endpoint at the web server or WAF level
- Implement IP-based access restrictions for WordPress REST API endpoints
- Disable REST API access for unauthenticated users using security plugins if not required for site functionality
- Remove or deactivate the KiviCare plugin until the patched version can be applied
# Apache .htaccess rule to block vulnerable endpoint
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/kivicare/v1/setup-wizard/ [NC]
RewriteRule ^ - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
