The KiviCare Clinic & Patient Management System plugin for WordPress suffers from a critical authentication bypass vulnerability identified as CVE-2026-2991. This vulnerability exists due to improper authentication logic in the patientSocialLogin() function, which fails to validate the social provider access token before authenticating users. As a result, an unauthenticated attacker can impersonate any registered patient by submitting only the patient's email address alongside an arbitrary access token value. This bypasses all standard credential verification mechanisms, granting unauthorized access to sensitive patient data including electronic health records (EHR), appointments, prescriptions, and billing details. Furthermore, the plugin sets authentication cookies for all user roles, including administrators, before verifying user roles. This means that even if a 403 Forbidden response is returned, authentication cookies are still sent in HTTP headers, potentially allowing session hijacking or unauthorized session reuse. The vulnerability affects all versions up to and including 4.1.2 of the plugin. The CVSS v3.1 base score is 9.8 (critical), reflecting the vulnerability’s ease of exploitation (no privileges or user interaction required), network attack vector, and its severe impact on confidentiality, integrity, and availability of sensitive health data. While no active exploits have been reported yet, the nature of the vulnerability and the sensitive data involved make it a high-risk threat. The lack of patch links suggests that a fix may not yet be publicly available, increasing urgency for mitigation. This vulnerability falls under CWE-287 (Improper Authentication), a common and dangerous flaw in web applications handling sensitive data.

The impact of CVE-2026-2991 is severe for organizations using the KiviCare EHR plugin. Unauthorized attackers can gain full access to patient accounts without any valid credentials, leading to breaches of personally identifiable information (PII) and protected health information (PHI). This compromises patient privacy and violates healthcare data protection regulations such as HIPAA in the US and GDPR in Europe. Attackers could view, modify, or delete medical records, appointments, prescriptions, and billing information, potentially disrupting patient care and causing financial and reputational damage. The improper setting of authentication cookies for all roles, including administrators, increases the risk of session hijacking and privilege escalation attacks. Healthcare providers, clinics, and hospitals relying on this plugin face legal liabilities, loss of patient trust, and operational disruptions. The vulnerability’s network-level exploitability and lack of required privileges or user interaction make it highly accessible to remote attackers, increasing the likelihood of exploitation once public exploits emerge.

1. Immediate mitigation should include disabling the KiviCare plugin until a vendor patch is released. 2. Monitor network traffic and logs for suspicious login attempts using arbitrary tokens or unusual access patterns. 3. Implement Web Application Firewall (WAF) rules to block requests to the patientSocialLogin() endpoint that do not originate from trusted social providers or that contain invalid tokens. 4. Enforce multi-factor authentication (MFA) for administrative accounts to reduce risk from session cookie leakage. 5. Restrict access to the WordPress admin and plugin endpoints via IP whitelisting where feasible. 6. Regularly audit user sessions and revoke any suspicious or inactive sessions, especially for high-privilege accounts. 7. Once available, promptly apply vendor patches or updates addressing this vulnerability. 8. Conduct a thorough security review of authentication flows in custom plugins to prevent similar flaws. 9. Educate staff on recognizing phishing or social engineering attempts that could leverage this vulnerability. 10. Consider isolating the EHR system behind VPN or internal networks to reduce exposure.