Kivicare@* Security Vulnerabilities and Issues — Kivicare@* CVE List

Lucene search

IqonicKivicare*

10 matches found

CVE•added 2022/06/13 1:15 p.m.•78 views

CVE-2022-0786

The KiviCare WordPress plugin before 2.3.9 does not sanitise and escape some parameters before using them in SQL statements via the ajax_post AJAX action with the get_doctor_details route, leading to SQL Injections exploitable by unauthenticated users

9.8CVSS9.7AI score0.74682EPSS

CVE•added 2024/12/06 10:15 a.m.•74 views

CVE-2024-11728

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'visit_type[service_id]' parameter of the tax_calculated_data AJAX action in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied parameter and l...

7.5CVSS7.7AI score0.51904EPSS

CVE•added 2025/02/28 8:15 a.m.•45 views

CVE-2025-1572

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_id’ parameter in all versions up to, and including, 3.6.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. ...

8.8CVSS6.5AI score0.00057EPSS

CVE•added 2023/06/27 2:15 p.m.•44 views

CVE-2023-2623

The KiviCare WordPress plugin before 3.2.1 does not restrict the information returned in a response and returns all user data, allowing low privilege users such as subscriber to retrieve sensitive information such as the user email and hashed password of other users

6.5CVSS6.4AI score0.00276EPSS

CVE•added 2024/12/06 11:15 a.m.•43 views

CVE-2024-11729

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'service_list[0][service_id]' parameter of the get_widget_payment_options AJAX action in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied par...

6.5CVSS6.5AI score0.00197EPSS

CVE•added 2024/06/08 4:15 p.m.•43 views

CVE-2024-35659

Authorization Bypass Through User-Controlled Key vulnerability in KiviCare.This issue affects KiviCare: from n/a through 3.6.2.

8.8CVSS5.7AI score0.00073EPSS

CVE•added 2023/06/27 2:15 p.m.•41 views

CVE-2023-2624

The KiviCare WordPress plugin before 3.2.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as administrator

6.1CVSS5.9AI score0.09978EPSS

CVE•added 2024/12/06 11:15 a.m.•37 views

CVE-2024-11730

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the 'sort[]' parameter of the static_data_list AJAX action in all versions up to, and including, 3.6.4 due to insufficient escaping on the user supplied parameter and lack of sufficient p...

6.5CVSS6.5AI score0.00096EPSS

CVE•added 2023/06/27 2:15 p.m.•36 views

CVE-2023-2628

The KiviCare WordPress plugin before 3.2.1 does not have CSRF checks (either flawed or missing completely) in various AJAX actions, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. This includes, but is not limited to: Delete arbitrary appointments/medi...

8.8CVSS8.7AI score0.00343EPSS

CVE•added 2023/06/27 2:15 p.m.•32 views

CVE-2023-2627

The KiviCare WordPress plugin before 3.2.1 does not have proper CSRF and authorisation checks in various AJAX actions, allowing any authenticated users, such as subscriber to call them. Attacks include but are not limited to: Add arbitrary Clinic Admin/Doctors/etc and update plugin's settings

4.3CVSS4.5AI score0.00086EPSS