CVE-2025-66095

Vulnerability

Overview

CVE-2025-66095 describes an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in the Iqonic Design KiviCare plugin for WordPress (kivicare-clinic-management-system). The flaw exists because user-supplied input is not properly sanitized before being used in SQL queries, allowing an attacker to inject malicious SQL code. All versions from n/a through 3.6.13 are affected [1].

Exploitation and

Attack Surface

This vulnerability is remotely exploitable without authentication, making it particularly dangerous for mass exploitation campaigns targeting thousands of WordPress sites. An attacker needs only network access to send crafted HTTP requests containing SQL injection payloads. The reference explicitly warns that such vulnerabilities are used to attack websites regardless of traffic size or popularity [1].

Impact

A successful SQL injection allows the attacker to directly interact with the underlying database. This can lead to exfiltration of sensitive data (such as user credentials, patient records in a clinic context), modification or deletion of data, and in some cases, further compromise of the WordPress installation [1]. The CVSS v3 score of 8.5 (High) reflects the potential severity and ease of exploitation.

Mitigation

The vendor has released version 3.6.14 which fixes the SQL injection. Users are strongly advised to update immediately. Patchstack users can enable auto-updates for vulnerable plugins. If immediate updating is not possible, a hosting provider or web developer should be consulted for alternative mitigations [1].