cleantalk
Vulnerabilities and Security Researches

KiviCare – Clinic & Patient Management System (EHR), CVE-2026-2992

CVE, Research URL

CVE-2026-2992

Home page URL

Security reports for KiviCare – Clinic & Patient Management System (EHR)

Application

KiviCare – Clinic & Patient Management System (EHR)

Published on
Mar 18, 2026
Research Description
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization on the `/wp-json/kivicare/v1/setup-wizard/clinic` REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to create a new clinic and a WordPress user with clinic admin privileges.
Affected versions
max 4.1.3.
Status
vulnerable
Previous vulnerability researches
KiviCare – Clinic & Patient Management System (EHR) (CVE-2026-2992) , Apr 13, 2026
KiviCare – Clinic & Patient Management System (EHR) (CVE-2026-2991) , Apr 13, 2026
KiviCare – Clinic & Patient Management System (EHR) (CVE-2026-25383) , Mar 30, 2026
KiviCare – Clinic & Patient Management System (EHR) (CVE-2026-25034) , Mar 30, 2026
KiviCare – Clinic & Patient Management System (EHR) (CVE-2024-11728) , Dec 06, 2024
New vulnerability
Popup Box – new WordPress popup plugin (CVE-2025-12122) , Apr 19, 2026
KiviCare – Clinic & Patient Management System (EHR) (CVE-2026-0927) , Apr 19, 2026
Terms Dictionary (CVE-2025-39534) , Apr 19, 2026
Quiz Maker (CVE-2025-58015) , Apr 19, 2026
Canto (CVE-2026-6441) , Apr 19, 2026