CVE-2024-11729: 
WordPress vulnerability analysis and mitigation

The KiviCare – Clinic & Patient Management System (EHR) WordPress plugin contains a SQL Injection vulnerability (CVE-2024-11729) discovered in December 2024. The vulnerability affects all versions up to and including 3.6.4, and is present in the 'service_list[0][service_id]' parameter of the get_widget_payment_options AJAX action (NVD).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries. The issue has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) (NVD, Wordfence).

The vulnerability allows authenticated attackers with Custom-level access and above to append additional SQL queries to existing queries, potentially enabling the extraction of sensitive information from the database (NVD).

A patch has been released and is available through the WordPress plugin repository. Users are advised to update to a version newer than 3.6.4 (WordPress Patch).