CVE-2024-11728
published 2024-12-06CVE-2024-11728: The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'visit_type[service_id]' parameter of the…
PriorityP268high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
13.26%
95.9th percentile
The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'visit_type[service_id]' parameter of the tax_calculated_data AJAX action in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| iqonic | kivicare | <= 3.6.5 | — |
| iqonicdesign | kivicare_clinic_patient_management_system | <= 3.6.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma
contains_all(body, "status", "message", "total_tax") AND contains(content_type, "application/json") AND status_code == 200
- →The exploit uses a fixed nonce value '5d77fc94cf' in the _ajax_nonce field; requests with this static nonce to admin-ajax.php should be flagged as suspicious. ↗
- →Monitor for anomalous response times (>=4.5 seconds) on admin-ajax.php POST requests targeting tax_calculated_data, indicative of time-based blind SQL injection. ↗
- →The vulnerability is in the 'visit_type[service_id]' parameter of the tax_calculated_data AJAX action; inspect this parameter for SQL metacharacters and injection patterns. ↗
- →Use the Google Dork to identify exposed WordPress instances running the vulnerable plugin for proactive scanning. ↗
- →Successful exploitation returns a JSON response body containing the keys 'status', 'message', and 'total_tax' with HTTP 200 and Content-Type application/json.
- ·The exploit's hardcoded nonce value ('5d77fc94cf') may need to be updated per target, as WordPress nonces are site- and time-specific; detection rules relying solely on this static value may miss adapted variants. ↗
- ·The vulnerability affects all versions up to and including 3.6.4; no patched version is referenced in the sources, so all installations at or below this version should be considered vulnerable. ↗
- ·The attack is unauthenticated, meaning no session or login is required, significantly broadening the attack surface and making network-layer blocking of authenticated-only endpoints ineffective as a sole mitigation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
KiviCare Clinic & Patient Management System (EHR) 3.6.4 - Unauthenticated SQL Injection
exploitdb·2025-04-18·CVSS 7.5
CVE-2024-11728 [HIGH] KiviCare Clinic & Patient Management System (EHR) 3.6.4 - Unauthenticated SQL Injection
KiviCare Clinic & Patient Management System (EHR) 3.6.4 - Unauthenticated SQL Injection
---
# Exploit Title: KiviCare Clinic & Patient Management System (EHR) 3.6.4 - Unauthenticated SQL Injection
SQL Injection
# Google Dork: inurl:"/wp-content/plugins/kivicare-clinic-management-system/
# Date: 11/12/2024
# Exploit Author: Samet "samogod" Gözet
# Vendor Homepage: wordpress.org
# Software Link:
https://wordpress.org/plugins/kivicare-clinic-management-system/
# Version: [-t ] [-v]
"""
import argparse
import requests
import sys
import time
from urllib3.exceptions import InsecureRequestWarning
# Disable SSL warnings
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
class KiviCareExploit:
def __init__(self, url, timeout=10, verbose=False):
self.url = url.rstrip('/
Nuclei
KiviCare Clinic & Patient Management System (EHR) <= 3.6.4 - SQL Injection
nuclei·CVSS 7.5
CVE-2024-11728 [HIGH] KiviCare Clinic & Patient Management System (EHR) <= 3.6.4 - SQL Injection
KiviCare Clinic & Patient Management System (EHR) 6'
- 'contains_all(body, "status", "message", "total_tax")'
- 'contains(content_type, "application/json")'
- 'status_code == 200'
condition: and
# digest: 4a0a004730450221008add5a96710a0a6d0f1491860d70a84074a896d988c5f390c2a6d284423d48c8022056e9fa4e2be565133b88d7a8062d09f5984fbd6faee706474fcb808214e03872:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2024-12-06
Published