CVE-2024-11728: Iqonic Kivicare SQL Injection Vulnerability

CVE-2024-11728 Overview

CVE-2024-11728 is an unauthenticated SQL Injection vulnerability in the KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress. The flaw affects all versions up to and including 3.6.4. The vulnerability resides in the tax_calculated_data AJAX action and is triggered through the visit_type[service_id] parameter. Insufficient escaping of user input and a lack of proper query preparation allow attackers to append arbitrary SQL statements to existing queries. Successful exploitation enables extraction of sensitive data from the WordPress database without authentication. The vulnerability is tracked under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command).

Critical Impact

Unauthenticated attackers can extract sensitive database contents — including patient records, user credentials, and configuration data — by injecting SQL through a publicly reachable AJAX endpoint.

Affected Products

• Iqonic KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress
• All versions through 3.6.4
• WordPress installations exposing the tax_calculated_data AJAX action

Discovery Timeline

• 2024-12-06 - CVE-2024-11728 published to NVD
• 2025-02-05 - Last updated in NVD database

Technical Details for CVE-2024-11728

Vulnerability Analysis

The vulnerable code path lives in the KCTaxController class within the KiviCare plugin. The tax_calculated_data AJAX handler accepts the visit_type[service_id] parameter directly from the request and concatenates it into a SQL query without parameterization. Because the AJAX action is registered for unauthenticated users through wp_ajax_nopriv_, any anonymous visitor can invoke it.

The injection point is a numeric field that the application treats as trusted. Attackers can supply crafted payloads — including UNION SELECT statements — to read arbitrary columns from any table the WordPress database user can access. This includes wp_users, patient records, and plugin-specific clinical data.

The vulnerability scores 7.5 due to network reachability, no required privileges, and high confidentiality impact, while integrity and availability remain unaffected.

Root Cause

The root cause is improper input handling in the tax_calculated_data controller method. The code fails to cast the service_id value to an integer and does not use $wpdb->prepare() placeholders. Instead, the parameter flows directly into the SQL string. WordPress provides sanitize_text_field(), absint(), and prepared statement helpers, none of which were applied to this code path.

Attack Vector

An unauthenticated attacker sends a crafted POST request to /wp-admin/admin-ajax.php with action=tax_calculated_data and a malicious visit_type[service_id] payload. The injected SQL executes within the context of the WordPress database user. Time-based and UNION-based techniques both apply because the endpoint returns query results in its JSON response.

The vulnerability mechanism is described in detail in the Wordfence Vulnerability Analysis and the WordPress Plugin Changeset that introduced the fix. No verified public proof-of-concept code is referenced in this advisory.

Detection Methods for CVE-2024-11728

Indicators of Compromise

• POST requests to /wp-admin/admin-ajax.php with action=tax_calculated_data originating from unauthenticated sessions.
• visit_type[service_id] parameter values containing SQL keywords such as UNION, SELECT, SLEEP, BENCHMARK, or comment sequences -- and /*.
• Unusual response sizes or latency spikes on the tax_calculated_data endpoint indicating time-based blind injection.
• Database error messages referencing the wp_kc_ tables in PHP error logs.

Detection Strategies

• Inspect web server access logs for high-volume requests to the tax_calculated_data AJAX action from a single source.
• Deploy WAF rules that block SQL metacharacters in the visit_type[service_id] parameter.
• Correlate WordPress admin-ajax.php traffic with database query logs to identify malformed queries against KiviCare tables.

Monitoring Recommendations

• Enable MySQL general query logging temporarily on suspect hosts to capture injected payloads.
• Alert on outbound data transfers from web servers that exceed baseline volumes following requests to the vulnerable endpoint.
• Monitor for new or modified WordPress administrator accounts created shortly after suspicious AJAX activity.

How to Mitigate CVE-2024-11728

Immediate Actions Required

• Upgrade the KiviCare plugin to a version higher than 3.6.4 containing the fix from changeset 3201428.
• Audit the WordPress database for unauthorized access by reviewing wp_users and KiviCare tables for unexpected modifications.
• Rotate all WordPress administrator and database credentials if exploitation is suspected, given the EPSS score of 72.218% indicates elevated exploitation likelihood.

Patch Information

Iqonic patched the vulnerability through plugin code changes in the KCTaxController.php file. The fix introduces proper input sanitization and prepared statements for the service_id parameter. Site administrators should update through the WordPress plugin dashboard or by downloading the latest release from the official plugin repository.

Workarounds

• Disable the KiviCare plugin until the patched version can be deployed.
• Block requests to /wp-admin/admin-ajax.php containing action=tax_calculated_data at the WAF or reverse proxy layer.
• Restrict access to the WordPress administrative AJAX endpoint by source IP where feasible.

# Example WAF rule (ModSecurity) to block exploitation attempts
SecRule ARGS:action "@streq tax_calculated_data" \
    "id:1011728,phase:2,deny,status:403,\
    msg:'Block CVE-2024-11728 KiviCare SQLi attempts',\
    chain"
    SecRule ARGS_NAMES "@rx visit_type\[service_id\]" \
        "chain"
        SecRule ARGS "@rx (?i)(union|select|sleep|benchmark|--|/\*)"