Skip to main content

Kivicare CVE-2025-1572

MEDIUM
SQL Injection (CWE-89)
2025-02-28 security@wordfence.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 28, 2026 - 18:29 vuln.today
Patch released
Mar 28, 2026 - 18:29 nvd
Patch available
CVE Published
Feb 28, 2025 - 08:15 nvd
MEDIUM 6.5

DescriptionCVE.org

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_id’ parameter in all versions up to, and including, 3.6.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with doctor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AnalysisAI

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_id’ parameter in all versions up to, and including, 3.6.7 due to insufficient. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Technical ContextAI

This vulnerability is classified as SQL Injection (CWE-89), which allows attackers to execute arbitrary SQL commands against the database. The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_id’ parameter in all versions up to, and including, 3.6.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with doctor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Affected products include: Iqonic Kivicare.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Use parameterized queries/prepared statements. Never concatenate user input into SQL. Apply least-privilege database permissions.

CVE-2022-0786 CRITICAL POC
9.8 Jun 13

The KiviCare WordPress plugin before 2.3.9 does not sanitise and escape some parameters before using them in SQL stateme

CVE-2023-2628 HIGH POC
8.8 Jun 27

The KiviCare WordPress plugin before 3.2.1 does not have CSRF checks (either flawed or missing completely) in various AJ

CVE-2024-11728 HIGH POC
7.5 Dec 06

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'vis

CVE-2023-2623 MEDIUM POC
6.5 Jun 27

The KiviCare WordPress plugin before 3.2.1 does not restrict the information returned in a response and returns all user

CVE-2023-2624 MEDIUM POC
6.1 Jun 27

The KiviCare WordPress plugin before 3.2.1 does not sanitise and escape a parameter before outputting it back in the pag

CVE-2023-2627 MEDIUM POC
4.3 Jun 27

The KiviCare WordPress plugin before 3.2.1 does not have proper CSRF and authorisation checks in various AJAX actions, a

CVE-2026-25383 HIGH
7.1 Mar 25

A Reflected Cross-Site Scripting (XSS) vulnerability exists in Iqonic Design's KiviCare clinic management system through

CVE-2026-25034 MEDIUM
6.5 Mar 25

Iqonic Design KiviCare clinic management system versions 3.6.16 and earlier contain an authorization bypass vulnerabilit

CVE-2024-11730 MEDIUM
6.5 Dec 06

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'sor

CVE-2024-11729 MEDIUM
6.5 Dec 06

The KiviCare - Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'ser

CVE-2026-40792 MEDIUM
6.3 Jun 15

Insecure Direct Object References (IDOR) in the KiviCare WordPress clinic management plugin through version 4.2.1 allows

Share

CVE-2025-1572 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy