CVE-2026-2991

CVE-2026-2991, published on 2026-03-18, is an authentication bypass vulnerability (CWE-287) in the KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress, affecting all versions up to and including 4.1.2. The flaw originates in the `patientSocialLogin()` function within the plugin's AuthController.php, which does not verify the social provider access token prior to authenticating a user. This CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) issue enables attackers to impersonate users without proper credentials.

Unauthenticated remote attackers can exploit the vulnerability by providing only a target patient's email address and an arbitrary access token value via the social login endpoint. Successful exploitation allows login as any registered patient, granting access to sensitive medical records, appointments, prescriptions, and billing information, leading to PII/PHI breaches. Additionally, authentication cookies are set before role checks, resulting in cookies for non-patient users—including administrators—being included in HTTP response headers, even when a 403 Forbidden status is returned.

Advisories from Wordfence detail the vulnerability and reference specific code locations in the plugin's trac repository, including AuthController.php lines 1852 and 284. A fix is implemented in trac changeset 3467409, indicating that updating the plugin beyond version 4.1.2 addresses the issue through proper token verification and role check sequencing.