CVE-2024-12614
16.01.2025, 10:15
The Passwords Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'pms_save_setting' and 'post_new_pass' AJAX actions in all versions up to, and including, 1.4.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugins settings and add passwords.
| Vendor | Product | Version |
|---|---|---|
| hirewebxperts | passwords_manager | 𝑥 < 1.5.1 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
- CWE-862 - Missing AuthorizationThe software does not perform an authorization check when an actor attempts to access a resource or perform an action.
References