CVE-2025-1572: 
WordPress vulnerability analysis and mitigation

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress was identified with SQL Injection vulnerability (CVE-2025-1572) affecting all versions up to and including 3.6.7. The vulnerability was discovered and disclosed on February 27, 2025, impacting the WordPress plugin's handling of the 'u_id' parameter (NVD).

The vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of SQL queries, specifically in the 'u_id' parameter. The CVSS v3.1 base score is 8.8 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, though Wordfence assessed it at 6.5 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-89 (SQL Injection) (NVD).

The vulnerability allows authenticated attackers with doctor-level access or higher to append additional SQL queries to existing queries, potentially leading to unauthorized access to sensitive information stored in the database (NVD).

A security patch has been released in version 3.6.8 on February 24, 2024. Users are strongly advised to update to this latest version to address the vulnerability (WordPress Plugin).