CVE-2024-11728 in KiviCare Plugin
Summary
by MITRE • 12/06/2024
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'visit_type[service_id]' parameter of the tax_calculated_data AJAX action in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/31/2025
The CVE-2024-11728 vulnerability affects the KiviCare – Clinic & Patient Management System plugin for WordPress, a critical healthcare information system that manages electronic health records and clinical workflows. This plugin serves as a comprehensive patient management solution for medical practices, making it a prime target for attackers seeking to compromise sensitive healthcare data. The vulnerability exists in versions up to and including 3.6.4, representing a significant security risk for healthcare organizations relying on this platform for patient information management. The flaw specifically impacts the tax_calculated_data AJAX action, which is part of the plugin's functionality for handling financial calculations related to patient visits and services.
The technical flaw manifests as a SQL Injection vulnerability through the 'visit_type[service_id]' parameter within the tax_calculated_data AJAX endpoint. This parameter fails to undergo proper input sanitization or escaping before being incorporated into database queries, while the existing SQL query preparation mechanisms prove insufficient to prevent malicious input manipulation. The vulnerability stems from improper parameter handling where user-supplied data flows directly into SQL execution contexts without adequate validation or sanitization. This design flaw allows attackers to inject malicious SQL code that becomes part of the existing database query structure, effectively bypassing normal security controls.
The operational impact of this vulnerability is severe for healthcare organizations, as it enables unauthenticated attackers to extract sensitive patient information from the database without requiring any prior access credentials. Attackers can leverage this vulnerability to perform data extraction operations including but not limited to patient medical records, personal identification information, billing details, and clinical histories. The lack of authentication requirements makes this attack vector particularly dangerous as it can be exploited by anyone with access to the vulnerable WordPress site. This vulnerability directly violates healthcare data protection regulations including HIPAA and GDPR, potentially exposing organizations to significant legal and financial consequences.
Mitigation strategies for this vulnerability should include immediate patching to version 3.6.5 or later, which contains the necessary security fixes for the SQL Injection flaw. Organizations should implement network-level protections including web application firewalls and intrusion detection systems to monitor for exploitation attempts. Input validation and parameterized query preparation should be enforced throughout the application codebase to prevent similar issues. Security monitoring should include detection of unusual database query patterns and unauthorized data access attempts. The vulnerability aligns with CWE-89 which specifically addresses SQL Injection flaws, and represents a technique that could be categorized under ATT&CK tactic TA0006 (Credential Access) and technique T1213 (Data from Information Repositories) in the MITRE ATT&CK framework. Regular security assessments and vulnerability scanning should be implemented to identify and remediate similar issues in other healthcare applications and systems.