{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1572", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-21T23:55:54.970Z", "datePublished": "2025-02-28T07:34:38.548Z", "dateUpdated": "2026-04-08T17:31:13.109Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:13.109Z"}, "affected": [{"vendor": "iqonicdesign", "product": "KiviCare \u2013 Clinic & Patient Management System (EHR)", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.6.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The KiviCare \u2013 Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the \u2018u_id\u2019 parameter in all versions up to, and including, 3.6.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with doctor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "title": "KiviCare \u2013 Clinic & Patient Management System (EHR) <= 3.6.7 - Authenticated (Doctor+) SQL Injection via 'u_id' Parameter", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eb6b0c35-b478-4616-a708-1fd243c95c14?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/KCPatientController.php#L330"}, {"url": "https://wordpress.org/plugins/kivicare-clinic-management-system/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/KCPatientController.php#L331"}, {"url": "https://plugins.trac.wordpress.org/changeset/3245759/kivicare-clinic-management-system/trunk/app/controllers/KCPatientController.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3245759/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "timeline": [{"time": "2025-02-27T19:24:13.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-28T13:55:25.099282Z", "id": "CVE-2025-1572", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-28T13:57:55.673Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1572", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-28T13:55:25.099282Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-28T13:57:49.564Z"}}], "cna": {"title": "KiviCare \u2013 Clinic & Patient Management System (EHR) <= 3.6.7 - Authenticated (Doctor+) SQL Injection via 'u_id' Parameter", "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "iqonicdesign", "product": "KiviCare \u2013 Clinic & Patient Management System (EHR)", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.6.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-02-27T19:24:13.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eb6b0c35-b478-4616-a708-1fd243c95c14?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/KCPatientController.php#L330"}, {"url": "https://wordpress.org/plugins/kivicare-clinic-management-system/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/KCPatientController.php#L331"}, {"url": "https://plugins.trac.wordpress.org/changeset/3245759/kivicare-clinic-management-system/trunk/app/controllers/KCPatientController.php"}, {"url": "https://plugins.trac.wordpress.org/changeset/3245759/"}], "descriptions": [{"lang": "en", "value": "The KiviCare \u2013 Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the \u2018u_id\u2019 parameter in all versions up to, and including, 3.6.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with doctor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:31:13.109Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1572", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:31:13.109Z", "dateReserved": "2025-02-21T23:55:54.970Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-02-28T07:34:38.548Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The KiviCare \u2013 Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the \u2018u_id\u2019 parameter in all versions up to, and including, 3.6.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with doctor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "id": "CVE-2025-1572", "lastModified": "2025-02-28T08:15:35.810", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-02-28T08:15:35.810", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/KCPatientController.php#L330"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/KCPatientController.php#L331"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3245759/"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3245759/kivicare-clinic-management-system/trunk/app/controllers/KCPatientController.php"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/kivicare-clinic-management-system/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/eb6b0c35-b478-4616-a708-1fd243c95c14?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T23:45:00.879949+00:00", "value": {"mitigation_remediation": ["Upgrade the KiviCare plugin to version 3.6.8 or later, which includes the necessary query sanitization changes.", "Modify the plugin configuration or code to ensure that any value bound to the 'u_id' parameter is strictly validated as a numeric ID and escaped or bound via prepared statements.", "Restrict database access for the WordPress role that represents doctors and above, minimizing the potential impact of any remaining injection surface."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection"}, "threat_synthesis": {"affected_systems": "Vulnerable versions of the KiviCare \u2013 Clinic & Patient Management System (EHR) plugin, issued by iqonicdesign, are all releases up to and including 3.6.7. The flaw exists in the WordPress plugin code and affects any site that has installed the plugin at those version levels. ", "description_and_impact": "The KiviCare \u2013 Clinic & Patient Management System for WordPress contains a classic SQL injection flaw triggered by the 'u_id' parameter. The plugin does not escape or prepare the user\u2011supplied value before incorporating it into a database query, allowing an attacker with doctor\u2011level or higher privileges to append arbitrary SQL statements. This can lead to the extraction of sensitive records from the database, but the vulnerability does not provide a route to remote code execution. The weakness corresponds to CWE\u201189. ", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate level of impact and suggests that the arbitrary code injection could be executed by authenticated users who possess at least doctor\u2011level access. The EPSS score of less than 1% indicates a low probability of active exploitation in the wild, and the vulnerability is not currently listed in CISA's KEV catalog. An attacker therefore needs an existing valid session for a doctor or higher in order to manipulate the 'u_id' value and retrieve data. The combination of limited exploitation probability and the requirement for privileged access keeps the overall risk moderate, but the data\u2011leak potential remains significant if a credential compromise occurs. "}}}}, "created": "2026-04-20T23:45:21.609806+00:00", "updated": "2026-04-20T23:45:21.609819+00:00", "vendors": []}