KiviCare – Clinic & Patient Management System (EHR) <= 3.6.4 - Unauthenticated SQL Injection

Vulnerability

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress versions up to and including 3.6.4 is vulnerable to SQL injection via the visit_type[service_id] parameter of the tax_calculated_data AJAX action. The plugin fails to properly escape user-supplied input and does not prepare the SQL query sufficiently, allowing injection of arbitrary SQL. [1]

Exploitation

An unauthenticated attacker can send a crafted AJAX request to the tax_calculated_data action with a malicious visit_type[service_id] parameter. No authentication or prior access is required. The injected SQL is appended to an existing query, enabling the attacker to manipulate the query execution.

Impact

Successful exploitation allows an unauthenticated attacker to extract sensitive information from the WordPress database, such as user credentials, session tokens, or other private data. The attacker does not gain direct code execution but can retrieve any data stored in the database.

Mitigation

The vulnerability exists in all versions up to 3.6.4. The plugin's current version is 4.4.0 [1], which likely includes a fix. Users should update to the latest version (4.4.0 or later) immediately. No workarounds are documented. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog as of publication.