Is WordPress affected by CVE-2026-2991?

A critical authentication bypass vulnerability in the KiviCare WordPress plugin (CVE-2026-2991, CVSS 9.8) allows unauthenticated attackers to access any patient account using only an email address and arbitrary token, exposing all protected health information (PHI), medical records, and billing…

CVE-2026-2991

EUVD-2026-12838 HIGH

2026-03-18 Wordfence

7.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Lifecycle Timeline

Analysis Generated

Mar 18, 2026 - 15:45 vuln.today

EUVD ID Assigned

Mar 18, 2026 - 15:45 euvd

EUVD-2026-12838

CVE Published

Mar 18, 2026 - 15:28 nvd

HIGH 7.3

Description

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 4.1.2. This is due to the `patientSocialLogin()` function not verifying the social provider access token before authenticating a user. This makes it possible for unauthenticated attackers to log in as any patient registered on the system by providing only their email address and an arbitrary value for the access token, bypassing all credential verification. The attacker gains access to sensitive medical records, appointments, prescriptions, and billing information (PII/PHI breach). Additionally, authentication cookies are set before the role check, meaning the auth cookies for non-patient users (including administrators) are also set in the HTTP response headers, even though a 403 response is returned.

Analysis

The KiviCare Clinic & Patient Management System (EHR) plugin for WordPress contains a critical authentication bypass vulnerability allowing unauthenticated attackers to log in as any patient by simply providing their email address and an arbitrary access token value. All versions up to and including 4.1.2 are affected, exposing sensitive medical records, appointments, prescriptions, and billing information (PII/PHI). …

Remediation

Within 24 hours: Disable the KiviCare plugin immediately and switch patient portals to an alternative system or take the plugin offline entirely; audit access logs for unauthorized login attempts; notify your legal and compliance teams. Within 7 days: Conduct a forensic investigation to determine if the vulnerability was exploited, review patient records for unauthorized access or modification, and prepare breach notification procedures if compromise is confirmed. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.2

CVSS: +36

POC: 0

CVE-2026-2991 vulnerability details – vuln.today

Back

CVE-2026-2991

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-2991

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code