Attack Vectors

High severity vulnerability (CVSS 8.2) in KiviCare – Clinic & Patient Management System (EHR) (plugin slug: kivicare-clinic-management-system) affects all versions up to and including 4.1.2. It can be exploited remotely over the internet with no login required and no user interaction (CVE-2026-2992).

The attack targets KiviCare’s setup workflow by calling a publicly accessible WordPress REST API route. If the plugin is exposed on a production site (even if you believe setup is “already done”), an attacker may be able to trigger the setup process to create a new clinic and a new user account with elevated “clinic admin” privileges.

Security Weakness

The core issue is missing authorization on the REST API endpoint /wp-json/kivicare/v1/setup-wizard/clinic in KiviCare versions <= 4.1.2. In practical terms, the endpoint does not adequately enforce “who is allowed to do this,” allowing an unauthenticated request to perform actions intended only for trusted administrators.

This weakness enables unauthenticated privilege escalation: an attacker can create a new clinic and also create a WordPress user associated with that clinic with clinic admin privileges. For business leaders, this is equivalent to an unknown party gaining an administrative foothold in operational systems that support patient workflows, scheduling, and clinic operations.

Technical or Business Impacts

Unauthorized admin-level access can lead to operational disruption and brand damage. Once an attacker creates an elevated account, they may be able to change settings, manipulate clinic configuration, and potentially access or alter sensitive business data managed through the EHR-related workflow (the CVSS vector indicates high integrity impact and low confidentiality impact).

For executives and compliance teams, the business risks include: loss of trust if patient-related workflows are tampered with, potential compliance exposure depending on what information is accessible through the compromised role, incident response costs, and possible downtime while accounts and configurations are audited and restored.

Recommended remediation: update KiviCare to version 4.1.3 or newer (patched). After patching, review WordPress user accounts for unexpected new users (especially any new “clinic admin” accounts), validate clinic records for unauthorized additions, and ensure logging/monitoring is in place to detect any repeat attempts.

Reference: CVE-2026-2992 and Wordfence advisory: Wordfence Threat Intel.

Similar Attacks

Authorization gaps in APIs and plugin endpoints are a recurring cause of real-world incidents. Examples include:

CVE-2017-5487 (WordPress REST API content injection) — demonstrated how exposed REST endpoints can be abused when critical checks fail.
CVE-2020-25213 (WP File Manager unauthenticated file upload/RCE) — a high-impact example of how unauthenticated access paths in WordPress plugins can rapidly lead to full site compromise.