A critical authentication bypass in the KiviCare WordPress plugin allows unauthenticated attackers to gain full access to sensitive medical records and potentially hijack administrator sessions.

The patientSocialLogin() function fails to verify social provider access tokens. Attackers can bypass credential checks by providing a target email and an arbitrary token value. Crucially, authentication cookies are set in the response headers before role checks, potentially exposing administrator cookies even if a 403 error is returned.

This vulnerability represents a catastrophic risk to patient privacy and regulatory compliance (e.g., HIPAA). With a CVSS score of 9.8, attackers can access Protected Health Information (PHI), prescriptions, and billing data. Furthermore, the potential for administrator session hijacking could lead to a total site takeover, causing massive reputational and legal damage.

Immediate Action: Update the KiviCare plugin to the latest patched version immediately. If a patch is unavailable, disable the social login feature or the plugin entirely until a fix is applied.

Proactive Monitoring: Review WordPress user logs for suspicious login activity and check for unusual HTTP 403 responses that may have successfully set authentication cookies in the headers.

Compensating Controls: Deploy a Web Application Firewall (WAF) to filter requests to the patientSocialLogin endpoint and enforce Multi-Factor Authentication (MFA) for all administrative accounts.

Public Exploit Available: false

Due to the sensitivity of medical data and the high CVSS score, this is a top-priority remediation. Organizations must update the KiviCare plugin immediately to prevent unauthenticated access to sensitive EHR data and administrative functions.