CVE-2026-2992:
Privilege escalation vulnerability in KiviCare WordPress plugin allows unauthenticated attackers to create admin accounts.
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.2High- Published Date:Mar 18, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:4.2
- Confidentiality Impact:LOW
- Integrity Impact:HIGH
- Availability Impact:NONE
Description Preview
Privilege escalation vulnerability in KiviCare WordPress plugin allows unauthenticated attackers to create admin accounts.
Overview
The vulnerability (CVE-2026-2992) in the KiviCare WordPress plugin presents a significant security risk due to missing authorization checks. This flaw enables unauthenticated attackers to bypass normal authentication processes and create new clinic entities along with associated admin-level user accounts. The vulnerability has been assigned a CVSS v3.1 base score of 8.2, indicating a high severity level. The attack vector is network-based, requires no user interaction, and can be executed with low complexity. While the confidentiality impact is low, the integrity impact is high, as attackers can manipulate user privileges and potentially gain unauthorized access to sensitive clinic data.
Remediation
- To address this vulnerability, website administrators using the KiviCare plugin should immediately update to the latest version that includes the security patch. If an immediate update is not possible, consider temporarily disabling the plugin until the update can be applied. Additionally, conduct a thorough review of user accounts and clinic setups to identify any potentially unauthorized additions. Implement strong access controls and regularly audit API endpoints for proper authorization checks. As a general best practice, maintain regular backups, monitor for suspicious activities, and keep all WordPress core files, themes, and plugins up to date.
References
- [1] WordPress.org. "KiviCare Clinic Management System - SetupWizardController.php (Line 162)." plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/api/SetupWizardController.php#L162.
- [2] WordPress.org. "KiviCare Clinic Management System - SetupWizardController.php (Line 31)." plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/api/SetupWizardController.php#L31.
- [3] WordPress.org. "Changeset 3467409." plugins.trac.wordpress.org/changeset/3467409/.
- [4] Wordfence. "Vulnerability: KiviCare - Clinic & Patient Management System (EHR) <= 4.1.2 - Unauthenticated Privilege Escalation." www.wordfence.com/threat-intel/vulnerabilities/id/d96743ea-08b1-4b4c-9d62-558b97a6e297?source=cve.
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
