Skip to main content

KiviCare CVE-2025-66095

HIGH
SQL Injection (CWE-89)
2025-11-21 audit@patchstack.com
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

6
Analysis Updated
Apr 24, 2026 - 00:18 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
Severity Changed
Apr 23, 2026 - 15:43 NVD
MEDIUM HIGH
CVSS changed
Apr 23, 2026 - 15:43 NVD
4.3 (MEDIUM) 8.5 (HIGH)
Analysis Generated
Mar 28, 2026 - 19:23 vuln.today
CVE Published
Nov 21, 2025 - 13:15 nvd
MEDIUM 4.3

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows SQL Injection.This issue affects KiviCare: from n/a through <= 3.6.13.

AnalysisAI

SQL injection in KiviCare clinic management WordPress plugin (versions ≤3.6.13) allows authenticated users with low privileges to extract sensitive database contents and potentially cause service disruption. The vulnerability exploits inadequate input sanitization in SQL queries, enabling attackers to inject malicious SQL commands. Reported by Patchstack's security audit team with an EPSS score of 0.04% (13th percentile), indicating low probability of mass exploitation but significant risk for targeted attacks against healthcare clinic deployments.

Technical ContextAI

KiviCare is a WordPress plugin for clinic management systems handling patient records, appointments, and medical data. The vulnerability stems from CWE-89 (SQL Injection), where user-controlled input is embedded into SQL queries without proper parameterization or escaping. The CVSS vector AV:N/AC:L indicates network-accessible exploitation with low complexity, requiring only authenticated access (PR:L). The changed scope (S:C) suggests the attacker can access resources beyond the plugin's security boundary, potentially reaching the underlying WordPress database containing patient health information (PHI), appointment schedules, and user credentials. SQL injection in healthcare plugins poses HIPAA compliance risks and data breach notification requirements.

Affected ProductsAI

WordPress KiviCare clinic management plugin by Iqonic Design, all versions up to and including 3.6.13. The vulnerability affects installations where authenticated users (even with minimal subscriber-level permissions) can access the plugin's functionality. Patchstack advisory available at https://patchstack.com/database/Wordpress/Plugin/kivicare-clinic-management-system/vulnerability/wordpress-kivicare-plugin-3-6-13-sql-injection-vulnerability. No CPE identifier provided in available data, but the canonical product identifier is wordpress-plugin:kivicare-clinic-management-system.

RemediationAI

Upgrade KiviCare plugin to version 3.6.14 or later if available (check WordPress plugin repository or vendor directly, as fix version not independently confirmed in NVD data). Immediately audit all WordPress user accounts with subscriber-level or higher permissions and revoke unnecessary access, particularly for patient portal accounts. Until patching, implement database-level query monitoring to detect SQL injection attempts (unusual UNION/SELECT/WHERE clauses in KiviCare queries) and configure WordPress firewall rules (via plugins like Wordfence or Sucuri) to block suspicious SQL patterns in POST/GET parameters targeting KiviCare endpoints. Trade-off: aggressive WAF rules may block legitimate clinic workflows involving special characters in patient names or medical notes - test thoroughly. If urgent mitigation is required and patch unavailable, temporarily disable the KiviCare plugin and revert to manual appointment scheduling, though this disrupts clinic operations. Consult Patchstack advisory for additional vendor guidance: https://patchstack.com/database/Wordpress/Plugin/kivicare-clinic-management-system/vulnerability/wordpress-kivicare-plugin-3-6-13-sql-injection-vulnerability.

Share

CVE-2025-66095 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy