CVE-2024-12614
Published: 16 January 2025
Summary
CVE-2024-12614 is a high-severity SQL Injection (CWE-89) vulnerability in Hirewebxperts Passwords Manager. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2024-12614 is a vulnerability in the Passwords Manager plugin for WordPress, affecting all versions up to and including 1.4.8. It stems from a missing capability check on the 'pms_save_setting' and 'post_new_pass' AJAX actions, enabling unauthorized modification of data. The issue is classified under CWE-89 (SQL Injection) and CWE-862 (Missing Authorization), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability over the network with low complexity. Successful exploitation allows them to update the plugin's settings and add passwords, potentially compromising stored credentials or configurations.
Patches addressing the missing capability checks are available in WordPress plugin trac changeset 3221505, applied to trunk/include/pms-passwords-ajax-action.php and trunk/include/pms-settings-ajax-action.php. Further details on the vulnerability are provided in Wordfence threat intelligence at the referenced URL.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50997
Vulnerability details
The Passwords Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pms_save_setting' and 'post_new_pass' AJAX actions in all versions up to, and including, 1.4.8. This makes it possible for authenticated…
more
attackers, with Subscriber-level access and above, to update the plugins settings and add passwords.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct exploitation of unauthenticated/missing-auth SQLi and AJAX actions in public-facing WordPress plugin.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to system resources, directly addressing the missing capability checks on AJAX actions that allow unauthorized modification of plugin settings and passwords.
Implements least privilege to restrict Subscriber-level users from performing administrative actions like updating settings or adding passwords.
Restricts access to privileged change actions such as saving plugin settings to authorized roles, mitigating unauthorized modifications via vulnerable AJAX endpoints.