A critical unauthenticated SQL injection vulnerability (CVE-2024-11728) has been identified in KiviCare Clinic & Patient Management System (EHR) version 3.6.4 and earlier. This WordPress plugin, used by healthcare providers for electronic health records (EHR) management, exposes sensitive patient data to potential exploitation without requiring authentication. The vulnerability carries a CVSS score of 7.5 (High) and was publicly disclosed on December 6, 2024.
Vulnerability Overview
The vulnerability exists in the AJAX action tax_calculated_data within JsonFetcher.svc. Attackers can manipulate the visit_type[service_id] parameter to inject malicious SQL queries. This flaw results from insufficient input sanitization, allowing arbitrary SQL execution against the database. The impact is significant as it could lead to unauthorized access to patient records, user credentials, and other sensitive healthcare data.
Security researcher Samet Gözet discovered and reported this vulnerability. The vendor has since released version 3.6.5 to address the issue. According to the GitHub advisory, the vulnerability specifically affects the WordPress plugin implementation of KiviCare’s patient management system.
Technical Analysis
The SQL injection occurs through the vulnerable parameter in the AJAX handler. A proof-of-concept demonstrates time-based blind SQL injection using the payload:
123) AND (SELECT * FROM (SELECT(SLEEP(5)))alias) AND (1=1This payload forces the database to pause for 5 seconds if the injection is successful, confirming the vulnerability. The full Python exploit script is available on Exploit-DB, though we refrain from reproducing it here for security reasons.
Detection methods include searching for vulnerable installations using the Google dork: inurl:"/wp-content/plugins/kivicare-clinic-management-system/". Security tools like Nuclei and Wordfence can also identify vulnerable instances.
Mitigation and Remediation
The primary mitigation is upgrading to KiviCare version 3.6.5 or later. For organizations unable to immediately update, virtual patching through WAF rules (such as those provided by Patchstack) can block exploitation attempts. System administrators should:
- Update the plugin immediately
- Review database logs for suspicious queries
- Monitor for unauthorized access attempts
- Consider restricting access to the plugin’s AJAX endpoints
Security teams should prioritize this update due to the sensitive nature of healthcare data and the potential regulatory implications of a breach. The vulnerability is particularly concerning as it requires no authentication, making all installations potentially vulnerable to scanning and automated attacks.
Conclusion
CVE-2024-11728 represents a serious risk to healthcare organizations using vulnerable versions of KiviCare. The combination of sensitive data exposure and ease of exploitation makes this a high-priority issue. Organizations should verify their plugin version and apply updates immediately. The availability of public exploit code increases the likelihood of widespread scanning attempts.
This incident highlights the importance of regular vulnerability scanning for healthcare applications, particularly those handling sensitive patient data. The rapid vendor response and patch availability demonstrate effective coordinated vulnerability disclosure.
References
- [1] NVD, “CVE-2024-11728 Detail,” National Vulnerability Database, 2024.
- [2] Wordfence, “KiviCare WordPress Plugin Vulnerability Advisory,” Wordfence Threat Intelligence, 2024.
- [3] GitHub, “GHSA-wpx6-wx33-ghrc Advisory,” GitHub Security Advisory Database, 2024.
- [4] Exploit-DB, “KiviCare Clinic Management System 3.6.4 – Unauthenticated SQL Injection,” Offensive Security, 2024.
- [5] Patchstack, “WordPress KiviCare Plugin Vulnerability,” Patchstack Vulnerability Database, 2024.
- [6] WordPress, “KiviCare Plugin Changelog,” WordPress Plugin Repository, 2024.
