VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 6, 2024· Updated Apr 8, 2026

KiviCare – Clinic & Patient Management System (EHR) <= 3.6.4 - Authenticated (Subscriber+) SQL Injection

CVE-2024-11729

Description

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'service_list[0][service_id]' parameter of the get_widget_payment_options AJAX action in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Custom-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

KiviCare plugin SQL injection in service_list[0][service_id] allows authenticated attackers with Custom-level access to extract database info.

Vulnerability

The KiviCare – Clinic & Patient Management System (EHR) WordPress plugin versions up to and including 3.6.4 are vulnerable to SQL injection via the service_list[0][service_id] parameter in the get_widget_payment_options AJAX action. The plugin fails to properly escape user-supplied input and lacks sufficient preparation on the existing SQL query, allowing attackers to inject additional SQL queries [1].

Exploitation

An authenticated attacker with at least Custom-level access can exploit this vulnerability by sending a crafted AJAX request containing malicious SQL in the service_list[0][service_id] parameter. No further user interaction is required [1].

Impact

Successful exploitation allows the attacker to append arbitrary SQL queries to existing ones, potentially extracting sensitive information from the database, such as user credentials or patient data [1].

Mitigation

The vulnerability is fixed in version 4.4.0 of the plugin [1]. Users should update to the latest version immediately. No workarounds are known.

References
  1. KiviCare – Clinic & Patient Management System (EHR)

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

1
r3201428
https://plugins.svn.wordpress.org/kivicare-clinic-management-systemvia osv
commit

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.