CVE-2026-2992 - Vulnerability Analysis
HighCVSS: 8.2Last Updated: March 19, 2026
KiviCare – Clinic & Patient Management System WordPress plugin - Privilege Escalation
Overview
KiviCare – Clinic & Patient Management System WordPress plugin <= 4.1.2 contains a privilege escalation vulnerability caused by missing authorization on the /wp-json/kivicare/v1/setup-wizard/clinic REST API endpoint, letting unauthenticated attackers create clinics and admin users, exploit requires no authentication.
Severity & Score
Impact
Unauthenticated attackers can create admin users, gaining full control over the WordPress site.
Mitigation
Update to a version later than 4.1.2 or the latest available version.
References
- https://plugins.trac.wordpress.org/changeset/3467409/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d96743ea-08b1-4b4c-9d62-558b97a6e297?source=cve
- https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/api/SetupWizardController.php#L162
- https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/api/SetupWizardController.php#L31
Social Media Activity(1 post)
🟠 CVE-2026-2992 - High (8.2) The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization on the `/wp-json/kivicare/v1/setup-wizard/clinic` REST API endpoint in all versions up to, and includ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-2992/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-2992
- Severity
- High
- CVSS Score
- 8.2
- Type
- broken_access_control
- Status
- unconfirmed
- EPSS
- 3.6%
- Social Posts
- 1
CWE
- CWE-862
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N