{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2992", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-22T21:12:30.312Z", "datePublished": "2026-03-18T15:28:30.071Z", "dateUpdated": "2026-04-08T17:27:07.605Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:27:07.605Z"}, "affected": [{"vendor": "iqonicdesign", "product": "KiviCare \u2013 Clinic & Patient Management System (EHR)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.1.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The KiviCare \u2013 Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization on the `/wp-json/kivicare/v1/setup-wizard/clinic` REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to create a new clinic and a WordPress user with clinic admin privileges."}], "title": "KiviCare <= 4.1.2 - Missing Authorization to Unauthenticated Privilege Escalation via Setup Wizard", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d96743ea-08b1-4b4c-9d62-558b97a6e297?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/api/SetupWizardController.php#L31"}, {"url": "https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/api/SetupWizardController.php#L162"}, {"url": "https://plugins.trac.wordpress.org/changeset/3467409/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "baseScore": 8.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "timeline": [{"time": "2026-02-22T21:30:14.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-17T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-18T16:02:51.294097Z", "id": "CVE-2026-2992", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T16:03:37.996Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2992", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-18T16:02:51.294097Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-18T16:03:08.644Z"}}], "cna": {"title": "KiviCare <= 4.1.2 - Missing Authorization to Unauthenticated Privilege Escalation via Setup Wizard", "credits": [{"lang": "en", "type": "finder", "value": "Athiwat Tiprasaharn"}, {"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N"}}], "affected": [{"vendor": "iqonicdesign", "product": "KiviCare \u2013 Clinic & Patient Management System (EHR)", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.1.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-22T21:30:14.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-03-17T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d96743ea-08b1-4b4c-9d62-558b97a6e297?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/api/SetupWizardController.php#L31"}, {"url": "https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/api/SetupWizardController.php#L162"}, {"url": "https://plugins.trac.wordpress.org/changeset/3467409/"}], "descriptions": [{"lang": "en", "value": "The KiviCare \u2013 Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization on the `/wp-json/kivicare/v1/setup-wizard/clinic` REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to create a new clinic and a WordPress user with clinic admin privileges."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:27:07.605Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2992", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:27:07.605Z", "dateReserved": "2026-02-22T21:12:30.312Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-18T15:28:30.071Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The KiviCare \u2013 Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization on the `/wp-json/kivicare/v1/setup-wizard/clinic` REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to create a new clinic and a WordPress user with clinic admin privileges."}, {"lang": "es", "value": "El plugin KiviCare \u2013 Clinic &amp; Patient Management System (EHR) para WordPress es vulnerable a la escalada de privilegios debido a la falta de autorizaci\u00f3n en el endpoint de la API REST `/wp-json/kivicare/v1/setup-wizard/clinic` en todas las versiones hasta la 4.1.2, inclusive. Esto permite a atacantes no autenticados crear una nueva cl\u00ednica y un usuario de WordPress con privilegios de administrador de cl\u00ednica."}], "id": "CVE-2026-2992", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-18T16:16:27.583", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/api/SetupWizardController.php#L162"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/api/SetupWizardController.php#L31"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3467409/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d96743ea-08b1-4b4c-9d62-558b97a6e297?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.1.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "KiviCare \u2013 Clinic & Patient Management System (EHR)", "source": "cna", "vendor": "iqonicdesign"}, "product": "kivicare_\u2013_clinic_&_patient_management_system_(ehr)", "vendor": "iqonicdesign"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-18T16:20:52.927011+00:00", "value": {"mitigation_remediation": ["Upgrade the KiviCare plugin to a version where the /wp-json/kivicare/v1/setup-wizard/clinic endpoint has proper authorization checks. The latest patch can be obtained from the vendor's website.", "If an update cannot be applied immediately, restrict access to the /wp-json/kivicare/v1/setup-wizard/clinic endpoint (e.g., via firewall or .htaccess rules) so that only authenticated users can reach it.", "Monitor the site for any unauthorized account creation events and audit WordPress user accounts regularly."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the KiviCare \u2013 Clinic & Patient Management System (EHR) plugin for WordPress, developed by iqonicdesign, in all plugin versions up to and including 4.1.2. Users running any of these versions are susceptible to the unauthenticated privilege escalation described above.", "description_and_impact": "The vulnerability arises from a missing authorization check on the REST API endpoint '/wp-json/kivicare/v1/setup-wizard/clinic', allowing any unauthenticated user to POST data that creates a new clinic and simultaneously creates a WordPress user with clinic admin privileges. This grants the attacker full administrative access to the WordPress installation and to the KiviCare system, including sensitive patient data. The weakness corresponds to CWE-862: Missing Authorization.", "risk_and_exploitability": "The CVSS score is 8.2, classifying the issue as high severity. While an EPSS score is not provided, the vulnerability exists in software widely used in healthcare settings, so the risk of exploitation is non-negligible. The lack of a KEV listing indicates there is no publicly known exploit code yet, but the attack vector relies on sending an unauthenticated HTTP POST request to the vulnerable REST endpoint, which is trivially reachable by anyone with internet access to the site. Therefore, the vulnerability can be exploited with minimal effort."}}}}, "created": "2026-03-19T08:56:28.419601+00:00", "updated": "2026-03-24T10:58:35.177055+00:00", "vendors": ["iqonicdesign", "iqonicdesign$PRODUCT$kivicare_\u2013_clinic_&_patient_management_system_(ehr)", "wordpress", "wordpress$PRODUCT$wordpress"]}