CVE-2022-0786
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands on WordPress sites using the KiviCare plugin. It affects all WordPress installations with KiviCare plugin versions before 2.3.9, potentially compromising the entire database.
💻 Affected Systems
- KiviCare - Clinic & Patient Management System (EHR)
📦 What is this software?
Kivicare by Iqonic
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise allowing data theft, modification, or deletion; potential privilege escalation to administrator; possible remote code execution via database functions.
Likely Case
Unauthenticated attackers extract sensitive data (user credentials, patient records, payment information) and potentially modify database content.
If Mitigated
With proper input validation and parameterized queries, SQL injection would be prevented entirely.
🎯 Exploit Status
SQL injection via the 'get_doctor_details' route in ajax_post AJAX action. Attackers can send crafted HTTP POST requests to wp-admin/admin-ajax.php.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.9
Vendor Advisory: https://wpscan.com/vulnerability/53f493e9-273b-4349-8a59-f2207e8f8f30
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find KiviCare plugin. 4. Click 'Update Now' if update available. 5. If no update appears, manually download version 2.3.9+ from WordPress repository.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
linuxTemporarily block access to the vulnerable ajax_post endpoint with get_doctor_details route
Add to .htaccess: RewriteCond %{QUERY_STRING} action=ajax_post.*get_doctor_details [NC] RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L]
Web Application Firewall rule
allBlock SQL injection patterns targeting the vulnerable endpoint
WAF specific - create rule blocking: POST requests to /wp-admin/admin-ajax.php with 'action=ajax_post' and 'route=get_doctor_details' containing SQL keywords
🧯 If You Can't Patch
- Disable the KiviCare plugin completely until patched
- Implement strict network ACLs to limit access to wp-admin/admin-ajax.php from untrusted sources
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → KiviCare version. If version < 2.3.9, vulnerable.Check Version:
wp plugin list --name=kivicare --field=version (if WP-CLI installed)Verify Fix Applied:
Confirm KiviCare plugin version is 2.3.9 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with 'action=ajax_post' and 'route=get_doctor_details' containing SQL keywords (UNION, SELECT, INSERT, etc.)
- Unusual database queries from WordPress application user
Network Indicators:
- HTTP POST requests to wp-admin/admin-ajax.php with SQL injection payloads in parameters
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND (params CONTAINS "ajax_post" AND params CONTAINS "get_doctor_details") AND (params CONTAINS "UNION" OR params CONTAINS "SELECT" OR params CONTAINS "INSERT")