CVE-2024-12615

Name of the Vulnerable Software and Affected Versions Passwords Manager plugin for WordPress versions up to and including 1.4.8

Description The issue is related to SQL injection through the $wpdb->prefix value in several AJAX actions due to insufficient escaping on the user-supplied parameter and lack of sufficient preparation on the existing SQL query. This allows authenticated attackers with Subscriber-level access and above to append additional SQL queries to existing ones, potentially extracting sensitive information from the database.

Recommendations For versions up to and including 1.4.8, update to a version higher than 1.4.8 to resolve the issue. As a temporary workaround, consider restricting access to the vulnerable AJAX actions until a patch is available. Avoid using the $wpdb->prefix value in user-supplied parameters to minimize the risk of exploitation.