KiviCare – Clinic & Patient Management System (EHR) <= 3.6.7 - Authenticated (Doctor+) SQL Injection via 'u_id' Parameter
Description
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_id’ parameter in all versions up to, and including, 3.6.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with doctor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in KiviCare WordPress plugin allows authenticated doctor-level users to extract database information via the 'u_id' parameter.
Vulnerability
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection in all versions up to and including 3.6.7. The flaw resides in the handling of the u_id parameter, where insufficient escaping on user-supplied input and lack of prepared statements allow an attacker to inject arbitrary SQL queries into existing database queries [1].
Exploitation
An attacker must be authenticated with at least doctor-level access to the WordPress site. By crafting a malicious u_id parameter in a request to a vulnerable endpoint, the attacker can append additional SQL statements to the original query. No other special network position or user interaction is required beyond the authenticated session.
Impact
Successful exploitation enables the attacker to extract sensitive information from the WordPress database, including patient records, user credentials, and other confidential data managed by the plugin. The attack does not grant code execution or file modification but leads to significant information disclosure.
Mitigation
The vendor has released version 4.4.0 of the plugin, which is the latest version available on the WordPress plugin repository [1]. Users should update to version 4.4.0 or later to remediate the vulnerability. No official workaround has been published, and the plugin is not listed on the CISA KEV catalog.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Range: <=3.6.7
- iqonicdesign/KiviCare – Clinic & Patient Management System (EHR)v5Range: 0
Patches
2r3245759Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/KCPatientController.phpmitre
- plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/KCPatientController.phpmitre
- plugins.trac.wordpress.org/changeset/3245759/mitre
- plugins.trac.wordpress.org/changeset/3245759/kivicare-clinic-management-system/trunk/app/controllers/KCPatientController.phpmitre
- wordpress.org/plugins/kivicare-clinic-management-system/mitre
- www.wordfence.com/threat-intel/vulnerabilities/id/eb6b0c35-b478-4616-a708-1fd243c95c14mitre
News mentions
0No linked articles in our index yet.