Primary

Context

KiviCare Clinic and Patient Management System Privilege Escalation Vulnerability

Vulnerability

Patched

A privilege escalation vulnerability has been identified in the KiviCare Clinic & Patient Management System (EHR) WordPress plugin, affecting all versions through 4.1.2. The vulnerability arises from a lack of proper authorization on the '/wp-json/kivicare/v1/setup-wizard/clinic' REST API endpoint. This flaw allows unauthenticated attackers to create new clinics and WordPress users with clinic admin rights.

Impact

Exploitation of this vulnerability allows unauthenticated users to gain administrative privileges for a newly created clinic, potentially leading to unauthorized access and modifications within that clinic's management system.

Remediation

Users are advised to update the KiviCare WordPress plugin to version 4.1.3 or later.

Added: Mar 18, 2026, 4:26 PM

Updated: Mar 18, 2026, 4:26 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

5.0

exploitability

8.2

remediation

7.7

relevance

4.1

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

5.0

exploitability

8.2

remediation

7.7

relevance

4.1

threat

3.2

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

KiviCare Clinic and Patient Management System Privilege Escalation Vulnerability

Vulnerability

Impact

Remediation

Affected Products

KiviCare

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating