CVE-2024-11730: 
WordPress vulnerability analysis and mitigation

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress contains a SQL Injection vulnerability (CVE-2024-11730) discovered in December 2024. The vulnerability affects all versions up to and including 3.6.4, where the 'sort[]' parameter of the static_data_list AJAX action is susceptible to SQL injection attacks (NVD).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries in the static_data_list AJAX action. The CVSS v3.1 base score is 6.5 (Medium), with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability requires network access and low privileges to exploit, requires no user interaction, and can result in high confidentiality impact (NVD).

When successfully exploited, attackers with doctor or receptionist-level access (or higher) can append additional SQL queries to existing ones, potentially extracting sensitive information from the database. The vulnerability primarily affects the confidentiality of the system, with no direct impact on integrity or availability (NVD).

Users are advised to update their KiviCare plugin to version 3.6.5 or later, which contains the fix for this vulnerability. A patch has been released and is available through the WordPress plugin repository (Patch).