CVE-2026-2992 - Vulnerability Analysis
HighCVSS: 8.2Last Updated: March 18, 2026
KiviCare – Clinic & Patient Management System WordPress plugin - Privilege Escalation
Published: March 18, 2026Updated: March 18, 2026Remote Exploitable
Overview
KiviCare – Clinic & Patient Management System WordPress plugin <= 4.1.2 contains a privilege escalation vulnerability caused by missing authorization on the /wp-json/kivicare/v1/setup-wizard/clinic REST API endpoint, letting unauthenticated attackers create clinics and admin users, exploit requires no authentication.
Severity & Score
Severity: High
CVSS Score: 8.2
Impact
Unauthenticated attackers can create admin users, gaining full control over the WordPress site.
Mitigation
Update to a version later than 4.1.2 or the latest available version.
References
- https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/api/SetupWizardController.php#L31
- https://plugins.trac.wordpress.org/changeset/3467409/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d96743ea-08b1-4b4c-9d62-558b97a6e297?source=cve
- https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/api/SetupWizardController.php#L162
Related Resources
Details
- CVE ID
- CVE-2026-2992
- Severity
- High
- CVSS Score
- 8.2
- Type
- broken_access_control
- Status
- new
CWE
- CWE-862
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N