CVE-2024-12613
📋 TL;DR
This SQL injection vulnerability in the WordPress Passwords Manager plugin allows unauthenticated attackers to execute arbitrary SQL queries against the database. Attackers can extract sensitive information including user credentials, password entries, and other stored data. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- WordPress Passwords Manager plugin
📦 What is this software?
Passwords Manager by Hirewebxperts
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to credential theft, data exfiltration, privilege escalation, and potential site takeover.
Likely Case
Extraction of sensitive password manager data, user information, and potentially WordPress admin credentials.
If Mitigated
Limited information disclosure if database permissions are restricted and web application firewall blocks SQL injection patterns.
🎯 Exploit Status
Exploitation requires crafting specific SQL injection payloads targeting AJAX endpoints, but no authentication is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.4.9 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3221505/passwords-manager/trunk/include/pms-passwords-ajax-action.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Passwords Manager' and click 'Update Now'. 4. Verify plugin version is 1.4.9 or higher.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the Passwords Manager plugin until patched
wp plugin deactivate passwords-manager
Web Application Firewall rule
allBlock SQL injection patterns targeting AJAX endpoints
🧯 If You Can't Patch
- Disable the Passwords Manager plugin immediately
- Implement strict WAF rules blocking SQL injection patterns and monitor AJAX endpoint access
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Passwords Manager version. If version is 1.4.8 or lower, you are vulnerable.Check Version:
wp plugin get passwords-manager --field=versionVerify Fix Applied:
Verify plugin version is 1.4.9 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple AJAX requests to /wp-admin/admin-ajax.php with SQL patterns
- Failed login attempts following AJAX requests
Network Indicators:
- POST requests to admin-ajax.php with SQL keywords in parameters
- Unusual database connection patterns from web server
SIEM Query:
source="web_access.log" AND uri="/wp-admin/admin-ajax.php" AND (param="action" AND value="pms_*") AND (param="*" AND value MATCHES "(?i)(union|select|insert|update|delete|drop|--|#|\/\*)")