CVE-2024-12615 – The Passwords Manager WordPress plugin contains... (How to Fix)

Q: What is the severity of CVE-2024-12615?

CVE-2024-12615 has a CVSS score of 6.5 (MEDIUM). The Passwords Manager WordPress plugin contains a SQL injection vulnerability that allows authenticated attackers with Subscriber-level access or higher to execute arbitrary SQL queries. This can lead to extraction of sensitive data from the database, including passwords and other confidential information stored by the plugin. All WordPress sites using this plugin up to version 1.4.8 are affected.

📋 TL;DR

The Passwords Manager WordPress plugin contains a SQL injection vulnerability that allows authenticated attackers with Subscriber-level access or higher to execute arbitrary SQL queries. This can lead to extraction of sensitive data from the database, including passwords and other confidential information stored by the plugin. All WordPress sites using this plugin up to version 1.4.8 are affected.

💻 Affected Systems

Products:

Passwords Manager WordPress Plugin

Versions: All versions up to and including 1.4.8

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with at least Subscriber role; affects all WordPress installations using vulnerable plugin versions.

📦 What is this software?

Passwords Manager by Hirewebxperts

View all CVEs affecting Passwords Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to credential theft, privilege escalation, and potential site takeover.

🟠

Likely Case

Extraction of sensitive password data stored by the plugin, potentially exposing user credentials.

🟢

If Mitigated

Limited impact if proper input validation and prepared statements are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but uses common SQL injection techniques; weaponization is likely given the sensitive nature of password manager data.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.9 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3221505/passwords-manager

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Passwords Manager' and click 'Update Now'. 4. Verify update to version 1.4.9 or later.

🔧 Temporary Workarounds

Disable Vulnerable Plugin

all

Temporarily disable the Passwords Manager plugin until patched.

wp plugin deactivate passwords-manager

Restrict User Roles

all

Limit Subscriber and higher role assignments to trusted users only.

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns
Restrict database user permissions to read-only for application accounts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Passwords Manager version; if version is 1.4.8 or lower, you are vulnerable.

Check Version:

wp plugin get passwords-manager --field=version

Verify Fix Applied:

Verify plugin version is 1.4.9 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual database queries from WordPress AJAX endpoints
Multiple failed login attempts followed by SQL-like query patterns

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with SQL injection payloads in parameters

SIEM Query:

source="wordpress.log" AND "admin-ajax.php" AND ("UNION" OR "SELECT" OR "FROM" OR "WHERE" OR "--")

📊 Metadata

CVE ID: CVE-2024-12615

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

EPSS Score: 0.17% exploit probability (38.7th percentile)

Published: January 16, 2025

Last Updated: January 17, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-12615, you might also want to check these: