CVE-2026-2992 identifies a critical missing authorization vulnerability (CWE-862) in the KiviCare – Clinic & Patient Management System plugin for WordPress, which is widely used for managing clinics and patient records (EHR). The vulnerability exists in the REST API endpoint /wp-json/kivicare/v1/setup-wizard/clinic, which lacks proper authorization checks, allowing unauthenticated attackers to invoke this endpoint. Through this flaw, attackers can create new clinic entries and, more critically, create WordPress users with clinic administrator privileges without any authentication or user interaction. This privilege escalation can lead to unauthorized administrative control over the WordPress site and the sensitive patient data managed by the plugin. The vulnerability affects all plugin versions up to and including 4.1.2. The CVSS v3.1 score of 8.2 reflects the vulnerability's network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on integrity with limited impact on confidentiality and no impact on availability. Although no public exploits have been reported yet, the vulnerability's nature makes it highly exploitable. The lack of authorization on a critical setup API endpoint is a serious design flaw that undermines the security of healthcare data management systems relying on this plugin. Given the sensitive nature of EHR data, exploitation could result in unauthorized data manipulation, privacy breaches, and potential regulatory non-compliance.

The primary impact of CVE-2026-2992 is unauthorized privilege escalation, allowing attackers to gain clinic administrator access within the WordPress environment hosting the KiviCare plugin. This elevated access can lead to unauthorized creation, modification, or deletion of patient records and clinic configurations, severely compromising data integrity. Confidentiality risks arise as attackers with admin privileges can access sensitive patient information, violating privacy regulations such as HIPAA or GDPR. Although availability is not directly impacted, the integrity and confidentiality breaches can disrupt healthcare operations and trust. Organizations using KiviCare in their clinical workflows face risks of data tampering, unauthorized user creation, and potential lateral movement within their networks. The vulnerability's ease of exploitation without authentication or user interaction increases the likelihood of attacks, especially in environments exposed to the internet. Healthcare providers, clinics, and hospitals relying on this plugin could suffer reputational damage, legal penalties, and operational disruptions if exploited.

1. Immediately restrict external access to the /wp-json/kivicare/v1/setup-wizard/clinic REST API endpoint using web application firewalls (WAFs) or server-level access controls to prevent unauthenticated calls. 2. Monitor WordPress user creation logs and API access logs for suspicious activity indicative of exploitation attempts. 3. Disable or remove the KiviCare plugin if it is not actively used or if an update is not yet available. 4. Coordinate with the plugin vendor (iqonicdesign) for an official security patch and apply updates promptly once released. 5. Implement strict WordPress user role management policies to limit the impact of unauthorized user creation. 6. Conduct regular security audits and penetration testing focused on REST API endpoints to detect missing authorization issues. 7. Employ network segmentation to isolate WordPress servers hosting EHR systems from broader organizational networks to limit lateral movement. 8. Educate IT and security teams about this vulnerability to ensure rapid detection and response. 9. Consider deploying endpoint detection and response (EDR) solutions to identify anomalous activities related to privilege escalation.