Cyber Resilience

CVE-2024-12614

High

Published: 16 January 2025

Published
16 January 2025
Modified
17 January 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0043 62.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12614 is a high-severity SQL Injection (CWE-89) vulnerability in Hirewebxperts Passwords Manager. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-12614 is a vulnerability in the Passwords Manager plugin for WordPress, affecting all versions up to and including 1.4.8. It stems from a missing capability check on the 'pms_save_setting' and 'post_new_pass' AJAX actions, enabling unauthorized modification of data. The issue is classified under CWE-89 (SQL Injection) and CWE-862 (Missing Authorization), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability over the network with low complexity. Successful exploitation allows them to update the plugin's settings and add passwords, potentially compromising stored credentials or configurations.

Patches addressing the missing capability checks are available in WordPress plugin trac changeset 3221505, applied to trunk/include/pms-passwords-ajax-action.php and trunk/include/pms-settings-ajax-action.php. Further details on the vulnerability are provided in Wordfence threat intelligence at the referenced URL.

EU & UK References

Vulnerability details

The Passwords Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pms_save_setting' and 'post_new_pass' AJAX actions in all versions up to, and including, 1.4.8. This makes it possible for authenticated…

more

attackers, with Subscriber-level access and above, to update the plugins settings and add passwords.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct exploitation of unauthenticated/missing-auth SQLi and AJAX actions in public-facing WordPress plugin.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-12613Same product: Hirewebxperts Passwords Manager
CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2025-13603Shared CWE-862
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-69063Shared CWE-862
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89

Affected Assets

hirewebxperts
passwords manager
≤ 1.5.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to system resources, directly addressing the missing capability checks on AJAX actions that allow unauthorized modification of plugin settings and passwords.

prevent

Implements least privilege to restrict Subscriber-level users from performing administrative actions like updating settings or adding passwords.

prevent

Restricts access to privileged change actions such as saving plugin settings to authorized roles, mitigating unauthorized modifications via vulnerable AJAX endpoints.

References