Skip to main content

Kivicare CVE-2024-11728

HIGH
SQL Injection (CWE-89)
2024-12-06 security@wordfence.com
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 06, 2024 - 10:15 nvd
HIGH 7.5

DescriptionNVD

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'visit_type[service_id]' parameter of the tax_calculated_data AJAX action in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AnalysisAI

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'visit_type[service_id]' parameter of the tax_calculated_data AJAX action in all. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'visit_type[service_id]' parameter of the tax_calculated_data AJAX action in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Affected products include: Iqonic Kivicare.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2022-0786 CRITICAL POC
9.8 Jun 13

The KiviCare WordPress plugin before 2.3.9 does not sanitise and escape some parameters before using them in SQL stateme

CVE-2023-2628 HIGH POC
8.8 Jun 27

The KiviCare WordPress plugin before 3.2.1 does not have CSRF checks (either flawed or missing completely) in various AJ

CVE-2023-2623 MEDIUM POC
6.5 Jun 27

The KiviCare WordPress plugin before 3.2.1 does not restrict the information returned in a response and returns all user

CVE-2023-2624 MEDIUM POC
6.1 Jun 27

The KiviCare WordPress plugin before 3.2.1 does not sanitise and escape a parameter before outputting it back in the pag

CVE-2023-2627 MEDIUM POC
4.3 Jun 27

The KiviCare WordPress plugin before 3.2.1 does not have proper CSRF and authorisation checks in various AJAX actions, a

CVE-2026-25383 HIGH
7.1 Mar 25

A Reflected Cross-Site Scripting (XSS) vulnerability exists in Iqonic Design's KiviCare clinic management system through

CVE-2025-1572 MEDIUM
6.5 Feb 28

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_i

CVE-2026-25034 MEDIUM
6.5 Mar 25

Iqonic Design KiviCare clinic management system versions 3.6.16 and earlier contain an authorization bypass vulnerabilit

CVE-2024-11730 MEDIUM
6.5 Dec 06

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'sor

CVE-2024-11729 MEDIUM
6.5 Dec 06

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'ser

CVE-2026-40792 MEDIUM
6.3 Jun 15

Insecure Direct Object References (IDOR) in the KiviCare WordPress clinic management plugin through version 4.2.1 allows

Share

CVE-2024-11728 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy