CVE-2024-12614
Published: 16 January 2025
Description
The Passwords Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pms_save_setting' and 'post_new_pass' AJAX actions in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins settings and add passwords.
Security Summary
CVE-2024-12614 is a vulnerability in the Passwords Manager plugin for WordPress, affecting all versions up to and including 1.4.8. It stems from a missing capability check on the 'pms_save_setting' and 'post_new_pass' AJAX actions, enabling unauthorized modification of data. The issue is classified under CWE-89 (SQL Injection) and CWE-862 (Missing Authorization), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability over the network with low complexity. Successful exploitation allows them to update the plugin's settings and add passwords, potentially compromising stored credentials or configurations.
Patches addressing the missing capability checks are available in WordPress plugin trac changeset 3221505, applied to trunk/include/pms-passwords-ajax-action.php and trunk/include/pms-settings-ajax-action.php. Further details on the vulnerability are provided in Wordfence threat intelligence at the referenced URL.
Details
- CWE(s)