Attack Vectors

CVE-2026-2991 is a Critical (CVSS 9.8) vulnerability affecting the WordPress plugin KiviCare – Clinic & Patient Management System (EHR) (slug: kivicare-clinic-management-system) in versions <= 4.1.2. It can be exploited remotely over the internet with no prior authentication and no user interaction, making it particularly dangerous for public-facing clinic sites.

An attacker can attempt to log in as a patient by supplying a patient’s email address and an arbitrary value where a social login access token would normally be provided. Any environment that exposes patient-facing portals, appointment booking, or EHR access through KiviCare may be at higher risk, especially if patient email addresses are discoverable through marketing lists, prior breaches, or routine guesswork.

Security Weakness

The issue stems from KiviCare’s patientSocialLogin() function not verifying the social provider access token before authenticating the user. In practical terms, the system trusts an unverified token value and proceeds with login based on the provided email address, allowing a full authentication bypass.

Because the weakness bypasses normal credential checks, common safeguards like strong passwords and patient password resets do not address the core problem until the plugin is patched. The vendor-recommended remediation is to update to KiviCare version 4.1.3 or newer, which contains the fix.

Technical or Business Impacts

Successful exploitation can allow an attacker to log in as any patient account and access sensitive healthcare information (including medical records, appointments, and prescriptions) stored or presented through the portal. This can lead to privacy breaches, patient safety concerns (if appointments or records are altered), and reputational harm that impacts patient trust and brand credibility.

From a business-risk perspective, exposure of protected health information may trigger contractual obligations, incident response costs, and regulatory scrutiny depending on your jurisdiction and the data involved (for example, HIPAA-related obligations in the US where applicable). Operationally, you may face downtime for investigation, forced password resets or account lockdowns, increased call-center load, and reputational damage that affects patient retention and partner relationships.

Similar attacks have repeatedly targeted authentication and “login shortcut” paths in widely used software, including incidents involving OAuth/social-login implementations and identity systems. Examples include the MOVEit Transfer mass-exploitation campaign, the Okta support system breach (identity ecosystem impact), and the Equifax breach (large-scale sensitive data exposure following a web application flaw). These highlight how quickly authentication or access-control weaknesses can translate into business-wide consequences.

For details on this specific issue, reference the CVE record at https://www.cve.org/CVERecord?id=CVE-2026-2991 and the vendor intelligence source at Wordfence Threat Intelligence.