The KiviCare Clinic & Patient Management System (EHR) WordPress plugin is suffering from a critical SQL Injection vulnerability affecting all versions up to, and including, 3.6.4. This vulnerability exists because of insufficient escaping for the user-supplied parameter visit_type[service_id] and inadequate preparation for an SQL query.
As a result, unauthenticated attackers can exploit this vulnerability to access sensitive information from the database. This blog post will explore the details of CVE-2024-11728, including the code snippet causing the vulnerability, original references, and exploitation details.
Code Snippet and Vulnerability Details
The vulnerable code snippet is present in the tax_calculated_data AJAX action of the KiviCare plugin. The issue comes from insufficient escaping of the user-supplied parameter visit_type[service_id].
Below is an example of the vulnerable code
function tax_calculated_data() {
global $wpdb;
$service_id = $_POST['visit_type']['service_id'];
$query = "
SELECT * FROM " . $wpdb->prefix . "kivicare_services
WHERE id = " . $service_id;
$result = $wpdb->get_results($query);
}
In the code snippet above, the $_POST['visit_type']['service_id'] user input is directly inserted into an SQL query using string concatenation. There's no proper escaping or usage of prepared statements to sanitize the user input. Consequently, an unauthenticated attacker could craft a malicious payload through visit_type[service_id] to manipulate the SQL query and gain unauthorized access to sensitive information.
Exploit Details
To exploit this vulnerability, an attacker would inject their malicious SQL query into the visit_type[service_id] parameter. They could do this through an HTTP POST request using a tool like curl or any HTTP client utility.
Here is an example of a malicious payload
1 UNION ALL SELECT 1,2,3,4,5,6,7,%
28usr_user_login%29,CURRENT_USER,9,10,11,12,13,14,15,16,17 FROM wp_users WHERE id=1
By sending this payload, an attacker could extract sensitive information from the WordPress database, such as admin usernames and other critical data.
Original References
* Official WordPress Plugin Page
* KiviCare Developer Website
* CVE-2024-11728 NVD Entry
Recommendations and Remediation
To fix this vulnerability, KiviCare should implement proper input validation and escaping, as well as utilizing prepared statements to sanitize user input before inserting it into an SQL query.
If you are using the KiviCare Clinic & Patient Management System (EHR) plugin up to version 3.6.4, it is highly recommended to update the plugin once a patch is released for this vulnerability or disable the plugin to prevent attackers from exploiting this vulnerability.
Always stay informed about security updates and regularly check for plugin updates to ensure that your WordPress-powered site stays secure.
Timeline
Published on: 12/06/2024 10:15:05 UTC