CVE-2025-1572
Published: 28 February 2025
Description
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_id’ parameter in all versions up to, and including, 3.6.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with doctor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Security Summary
CVE-2025-1572 is a SQL injection vulnerability in the KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress, affecting all versions up to and including 3.6.7. The flaw stems from insufficient escaping of the user-supplied 'u_id' parameter and lack of proper preparation in the existing SQL query within the app/controllers/KCPatientController.php file, specifically around lines 330 and 331. This CWE-89 issue has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with medium overall severity.
Authenticated attackers with doctor-level access or higher can exploit this vulnerability over the network with low complexity. By injecting malicious SQL via the 'u_id' parameter, they can append additional queries to existing ones, enabling extraction of sensitive information from the database, such as patient records or other clinic data.
Mitigation is addressed in WordPress plugin changeset 3245759, which patches the vulnerable code in KCPatientController.php. Security practitioners should update to a version beyond 3.6.7 and review the plugin's developer page on WordPress.org for further details.
Details
- CWE(s)