CVE-2025-1572

Medium

Published: 28 February 2025

Published

28 February 2025

Modified

06 March 2025

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0012 31.0th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1572 is a medium-severity SQL Injection (CWE-89) vulnerability in Iqonic Kivicare. Its CVSS base score is 6.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation and sanitization of user-supplied inputs like the 'u_id' parameter to prevent SQL injection by addressing insufficient escaping and lack of query preparation.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation, such as applying the patch in changeset 3245759 to versions beyond 3.6.7, eliminating the specific SQL injection vulnerability.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

Provides vulnerability scanning to identify SQL injection flaws like CVE-2025-1572 in web plugins prior to exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing WordPress plugin directly enables remote exploitation of web app (T1190) and extraction of sensitive data from backend database (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to SQL Injection via the ‘u_id’ parameter in all versions up to, and including, 3.6.7 due to insufficient escaping on the user supplied parameter and lack…

of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with doctor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Deeper analysisAI

CVE-2025-1572 is a SQL injection vulnerability in the KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress, affecting all versions up to and including 3.6.7. The flaw stems from insufficient escaping of the user-supplied 'u_id' parameter and lack of proper preparation in the existing SQL query within the app/controllers/KCPatientController.php file, specifically around lines 330 and 331. This CWE-89 issue has a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), highlighting high confidentiality impact with medium overall severity.

Authenticated attackers with doctor-level access or higher can exploit this vulnerability over the network with low complexity. By injecting malicious SQL via the 'u_id' parameter, they can append additional queries to existing ones, enabling extraction of sensitive information from the database, such as patient records or other clinic data.

Mitigation is addressed in WordPress plugin changeset 3245759, which patches the vulnerable code in KCPatientController.php. Security practitioners should update to a version beyond 3.6.7 and review the plugin's developer page on WordPress.org for further details.