Privilege Escalation in KiviCare Clinic Management System from WordPress
CVE-2026-2992

8.2HIGH

Key Information:

Vendor: WordPress
Status: Kivicare – Clinic & Patient Management System (ehr)
Vendor: CVE Published:; 18 March 2026

What is CVE-2026-2992?

The KiviCare – Clinic & Patient Management System, a plugin for WordPress, suffers from a Privilege Escalation vulnerability that allows unauthenticated attackers to exploit the unprotected /wp-json/kivicare/v1/setup-wizard/clinic REST API endpoint. This flaw exists in all versions up to and including 4.1.2. Without proper authorization checks, attackers can create new clinics and elevate user roles to clinic admin, potentially compromising the integrity and confidentiality of the system.

Affected Version(s)

KiviCare – Clinic & Patient Management System (EHR) 0 <= 4.1.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/kivicare-clini...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 18, 2026
Vulnerability Reserved
Feb 22, 2026

Credit

Athiwat Tiprasaharn

Itthidej Aramsri

CVE-2026-2992 Data

JSON