Description
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_id’ parameter in all versions up to, and including, 3.6.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with doctor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-02-28
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Immediate Patch
AI Analysis

Impact

The KiviCare – Clinic & Patient Management System for WordPress contains a classic SQL injection flaw triggered by the 'u_id' parameter. The plugin does not escape or prepare the user‑supplied value before incorporating it into a database query, allowing an attacker with doctor‑level or higher privileges to append arbitrary SQL statements. This can lead to the extraction of sensitive records from the database, but the vulnerability does not provide a route to remote code execution. The weakness corresponds to CWE‑89.

Affected Systems

Vulnerable versions of the KiviCare – Clinic & Patient Management System (EHR) plugin, issued by iqonicdesign, are all releases up to and including 3.6.7. The flaw exists in the WordPress plugin code and affects any site that has installed the plugin at those version levels.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate level of impact and suggests that the arbitrary code injection could be executed by authenticated users who possess at least doctor‑level access. The EPSS score of less than 1% indicates a low probability of active exploitation in the wild, and the vulnerability is not currently listed in CISA's KEV catalog. An attacker therefore needs an existing valid session for a doctor or higher in order to manipulate the 'u_id' value and retrieve data. The combination of limited exploitation probability and the requirement for privileged access keeps the overall risk moderate, but the data‑leak potential remains significant if a credential compromise occurs.

Generated by OpenCVE AI on April 20, 2026 at 23:45 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the KiviCare plugin to version 3.6.8 or later, which includes the necessary query sanitization changes.
  • Modify the plugin configuration or code to ensure that any value bound to the 'u_id' parameter is strictly validated as a numeric ID and escaped or bound via prepared statements.
  • Restrict database access for the WordPress role that represents doctors and above, minimizing the potential impact of any remaining injection surface.

Generated by OpenCVE AI on April 20, 2026 at 23:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-5506 The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_id’ parameter in all versions up to, and including, 3.6.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with doctor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Tue, 04 Mar 2025 03:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 28 Feb 2025 07:45:00 +0000

Type Values Removed Values Added
Description The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_id’ parameter in all versions up to, and including, 3.6.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with doctor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title KiviCare – Clinic & Patient Management System (EHR) <= 3.6.7 - Authenticated (Doctor+) SQL Injection via 'u_id' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:31:13.109Z

Reserved: 2025-02-21T23:55:54.970Z

Link: CVE-2025-1572

cve-icon Vulnrichment

Updated: 2025-02-28T13:57:49.564Z

cve-icon NVD

Status : Received

Published: 2025-02-28T08:15:35.810

Modified: 2025-02-28T08:15:35.810

Link: CVE-2025-1572

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T23:45:21Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')