CVE-2022-0786: 
WordPress vulnerability analysis and mitigation

The KiviCare WordPress plugin before version 2.3.9 contains a critical SQL Injection vulnerability (CVE-2022-0786) that was discovered in February 2022. The vulnerability affects the KiviCare Clinic Management System plugin and allows unauthenticated users to perform SQL injection attacks through unsanitized parameters in the ajaxpost AJAX action with the getdoctor_details route (WPScan, NVD).

The vulnerability stems from improper input validation where the plugin fails to sanitize and escape parameters before using them in SQL statements. It has a CVSS v3.1 base score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-89 (SQL Injection) and falls under the OWASP Top 10 category A1: Injection (WPScan, NVD).

This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on the affected WordPress installation's database. Due to its unauthenticated nature and the critical CVSS score, it poses a severe risk to the confidentiality, integrity, and availability of the affected systems (NVD).

The vulnerability has been fixed in KiviCare version 2.3.9. Users are strongly advised to update to this version or later to mitigate the risk (WPScan).