CVE-2025-1572 Overview
CVE-2025-1572 is an authenticated SQL injection vulnerability in the KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress. The flaw affects all versions up to and including 3.6.7. The vulnerability resides in the u_id parameter handled by KCPatientController.php, where user-supplied input is concatenated into a SQL query without proper escaping or prepared statement usage. Attackers holding doctor-level access or higher can append additional SQL clauses to existing queries. Successful exploitation enables extraction of sensitive data from the WordPress database, including patient records, credentials, and configuration values. The vulnerability is classified under CWE-89.
Critical Impact
Authenticated attackers with doctor-level privileges can execute arbitrary SQL queries against the WordPress database, leading to disclosure of patient health information and credentials.
Affected Products
- Iqonic KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress
- All versions up to and including 3.6.7
- WordPress installations using KiviCare for clinic or EHR workflows
Discovery Timeline
- 2025-02-28 - CVE-2025-1572 published to NVD
- 2025-03-06 - Last updated in NVD database
Technical Details for CVE-2025-1572
Vulnerability Analysis
The vulnerability exists in the patient controller logic at app/controllers/KCPatientController.php, specifically around lines 330–331 referenced by the vendor advisory. The u_id parameter is consumed from request input and inserted directly into a SQL statement. The plugin does not apply WordPress sanitization helpers such as absint() or esc_sql(), nor does it use $wpdb->prepare() with parameter placeholders. As a result, the parameter operates as a SQL injection sink in a query that already runs with database privileges granted to the WordPress site user.
Because exploitation requires doctor-level authentication, the attacker must first obtain valid credentials, register an account if registration is open, or compromise an existing privileged account. KiviCare operates in healthcare environments where exposed data typically includes protected health information (PHI), appointment records, and billing data.
Root Cause
The root cause is insufficient escaping of user-controlled input combined with the absence of prepared statements. The query string is built through PHP string concatenation rather than using wpdb::prepare() with %d or %s placeholders, allowing injected SQL syntax to alter query semantics.
Attack Vector
The attack is delivered over the network via standard HTTP(S) requests to authenticated KiviCare endpoints that accept the u_id parameter. An authenticated user with doctor-level access submits a crafted value, such as a UNION SELECT clause or boolean-based payload, to retrieve database rows the user is not authorized to read.
The vulnerability is described in prose only. Refer to the Wordfence Vulnerability Report and the WordPress Code Reference for the vulnerable lines.
Detection Methods for CVE-2025-1572
Indicators of Compromise
- HTTP requests containing SQL metacharacters such as ', UNION, SELECT, SLEEP(, or -- in the u_id parameter targeting KiviCare endpoints.
- Unusual wp-admin/admin-ajax.php activity originating from accounts with the doctor role.
- Database error responses or extended response times correlated with KiviCare patient controller requests.
- New or unexpected wp_users entries, role changes, or option modifications following KiviCare API activity.
Detection Strategies
- Inspect web server and WordPress logs for u_id parameter values containing non-numeric content or SQL keywords.
- Apply WAF signatures for SQL injection patterns scoped to KiviCare request paths.
- Correlate authentication telemetry with database query anomalies originating from the WordPress host.
Monitoring Recommendations
- Forward WordPress, web server, and MySQL/MariaDB audit logs to a centralized SIEM for correlation.
- Alert on spikes in query volume, query errors, or INFORMATION_SCHEMA reads from the WordPress database user.
- Monitor for privilege escalation events on WordPress accounts with the doctor role following anomalous request patterns.
How to Mitigate CVE-2025-1572
Immediate Actions Required
- Upgrade the KiviCare plugin to a version later than 3.6.7 that includes the fix introduced in WordPress Changeset #3245759.
- Audit all WordPress accounts with the doctor role or higher and revoke unused or stale accounts.
- Rotate WordPress administrator passwords and database credentials if compromise is suspected.
- Review database query and access logs for evidence of prior exploitation against the u_id parameter.
Patch Information
The vendor addressed the issue in WordPress Changeset #3245759, which corrects the unsafe parameter handling in KCPatientController.php. Site operators should update to the patched release available through the WordPress plugin repository.
Workarounds
- Deploy a web application firewall rule that blocks non-integer values for the u_id parameter on KiviCare endpoints.
- Restrict access to the WordPress admin interface and KiviCare endpoints to trusted IP ranges via reverse proxy or .htaccess controls.
- Temporarily disable the KiviCare plugin until the patched version can be deployed.
- Apply least-privilege principles to the WordPress database user, removing access to tables not required by the application.
# Configuration example: nginx rule restricting u_id to integers on KiviCare endpoints
location ~* /wp-admin/admin-ajax\.php {
if ($arg_u_id !~ "^[0-9]+$") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
