Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
6DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows SQL Injection.This issue affects KiviCare: from n/a through <= 3.6.13.
AnalysisAI
SQL injection in KiviCare clinic management WordPress plugin (versions ≤3.6.13) allows authenticated users with low privileges to extract sensitive database contents and potentially cause service disruption. The vulnerability exploits inadequate input sanitization in SQL queries, enabling attackers to inject malicious SQL commands. Reported by Patchstack's security audit team with an EPSS score of 0.04% (13th percentile), indicating low probability of mass exploitation but significant risk for targeted attacks against healthcare clinic deployments.
Technical ContextAI
KiviCare is a WordPress plugin for clinic management systems handling patient records, appointments, and medical data. The vulnerability stems from CWE-89 (SQL Injection), where user-controlled input is embedded into SQL queries without proper parameterization or escaping. The CVSS vector AV:N/AC:L indicates network-accessible exploitation with low complexity, requiring only authenticated access (PR:L). The changed scope (S:C) suggests the attacker can access resources beyond the plugin's security boundary, potentially reaching the underlying WordPress database containing patient health information (PHI), appointment schedules, and user credentials. SQL injection in healthcare plugins poses HIPAA compliance risks and data breach notification requirements.
Affected ProductsAI
WordPress KiviCare clinic management plugin by Iqonic Design, all versions up to and including 3.6.13. The vulnerability affects installations where authenticated users (even with minimal subscriber-level permissions) can access the plugin's functionality. Patchstack advisory available at https://patchstack.com/database/Wordpress/Plugin/kivicare-clinic-management-system/vulnerability/wordpress-kivicare-plugin-3-6-13-sql-injection-vulnerability. No CPE identifier provided in available data, but the canonical product identifier is wordpress-plugin:kivicare-clinic-management-system.
RemediationAI
Upgrade KiviCare plugin to version 3.6.14 or later if available (check WordPress plugin repository or vendor directly, as fix version not independently confirmed in NVD data). Immediately audit all WordPress user accounts with subscriber-level or higher permissions and revoke unnecessary access, particularly for patient portal accounts. Until patching, implement database-level query monitoring to detect SQL injection attempts (unusual UNION/SELECT/WHERE clauses in KiviCare queries) and configure WordPress firewall rules (via plugins like Wordfence or Sucuri) to block suspicious SQL patterns in POST/GET parameters targeting KiviCare endpoints. Trade-off: aggressive WAF rules may block legitimate clinic workflows involving special characters in patient names or medical notes - test thoroughly. If urgent mitigation is required and patch unavailable, temporarily disable the KiviCare plugin and revert to manual appointment scheduling, though this disrupts clinic operations. Consult Patchstack advisory for additional vendor guidance: https://patchstack.com/database/Wordpress/Plugin/kivicare-clinic-management-system/vulnerability/wordpress-kivicare-plugin-3-6-13-sql-injection-vulnerability.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today