CVE-2026-2991 — Improper Authentication in Kivicare Clinic Patient Management System

CWE-287 — Improper Authentication4 documents4 sources

Severity

7.3HIGHNVD

EPSS

0.2%

top 54.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Iqonicdesign Kivicare Clinic Patient Management System

Timeline

PublishedMar 18

Description

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.1.2. This is due to the `patientSocialLogin()` function not verifying the social provider access token before authenticating a user. This makes it possible for unauthenticated attackers to log in as any patient registered on the system by providing only their email address and an arbitrary value for the access token, bypassing all credential …

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 3.9 | Impact: 3.4

Affected Packages1 packages

▶CVEListV5iqonicdesign/kivicare_clinic_patient_management_system4.1.2

🔴Vulnerability Details

GHSA

GHSA-vgm8-mf6q-65v2: The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and includi↗2026-03-18

▶

CVEList

KiviCare – Clinic & Patient Management System (EHR) <= 4.1.2 - Unauthenticated Authentication Bypass via Social Login Token↗2026-03-18

▶

🕵️Threat Intelligence

Wiz

CVE-2026-2991 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶