Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows SQL Injection.This issue affects KiviCare: from n/a through <= 3.6.13.
Published: 2025-11-21
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Iqonic Design KiviCare translates user input directly into an SQL query without proper escaping, resulting in a SQL Injection flaw (CWE‑89). An attacker who can supply crafted input to the plugin can execute arbitrary SQL statements against the underlying database, potentially reading, modifying, or deleting sensitive data stored in the clinic management system. The vulnerability directly compromises confidentiality, integrity, and possibly availability of the business data managed by the plugin.

Affected Systems

The vulnerability affects the Iqonic Design KiviCare plugin (kivicare‑clinic‑management‑system) for WordPress. All releases from the earliest available version up to and including version 3.6.13 are impacted; no later versions are listed as vulnerable.

Risk and Exploitability

With a CVSS score of 8.5, this flaw is rated high severity. The EPSS score of less than 1% indicates a low estimated exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Exploitation would likely require ability to deliver input to the plugin via its web interface, possibly needing authenticated access to administrative pages, though the exact prerequisites are not detailed in the advisory. If exploited, the attacker could exfiltrate or alter the clinic’s patient and appointment data.

Generated by OpenCVE AI on April 29, 2026 at 19:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the KiviCare plugin to a version newer than 3.6.13. If an update is not available, consider disabling or uninstalling the plugin until a fix is released.
  • Limit access to the plugin’s administrative interface by enforcing strict role‑based permissions or network‑level controls, ensuring only trusted users can submit data that reaches the vulnerable code paths.
  • Enable logging of all database queries and inspect logs regularly for unexpected or malformed statements that might indicate an injection attempt.

Generated by OpenCVE AI on April 29, 2026 at 19:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 28 Nov 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Iqonic
Iqonic kivicare
Wordpress
Wordpress wordpress
Vendors & Products Iqonic
Iqonic kivicare
Wordpress
Wordpress wordpress

Fri, 21 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows SQL Injection.This issue affects KiviCare: from n/a through <= 3.6.13.
Title WordPress KiviCare plugin <= 3.6.13 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Iqonic Kivicare
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:16.559Z

Reserved: 2025-11-21T11:21:12.145Z

Link: CVE-2025-66095

cve-icon Vulnrichment

Updated: 2025-11-28T20:31:24.574Z

cve-icon NVD

Status : Deferred

Published: 2025-11-21T13:15:50.877

Modified: 2026-04-27T18:16:35.220

Link: CVE-2025-66095

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T20:00:18Z

Weaknesses