CVE-2024-12613 is a SQL Injection vulnerability identified in the coder426 Passwords Manager plugin for WordPress, affecting all versions up to and including 1.4.8. The vulnerability stems from insufficient escaping and lack of proper preparation of SQL queries involving the $wpdb->prefix parameter in several AJAX functions. This parameter, which is user-supplied, is concatenated directly into SQL statements without adequate sanitization, enabling attackers to append arbitrary SQL commands. Because the vulnerability can be exploited by unauthenticated attackers without any user interaction, it presents a critical attack vector. Successful exploitation allows attackers to extract sensitive information from the underlying database, potentially exposing user credentials, configuration data, or other confidential information stored by the plugin or WordPress site. The CVSS v3.1 score of 7.5 reflects the high impact on confidentiality, with no impact on integrity or availability, and the ease of remote exploitation without privileges. Although no public exploits have been reported yet, the vulnerability's nature and the widespread use of WordPress make it a significant concern. The lack of available patches at the time of publication necessitates immediate mitigation efforts by site administrators. The vulnerability is cataloged under CWE-89, indicating improper neutralization of special elements in SQL commands, a common and dangerous class of injection flaws.

The primary impact of CVE-2024-12613 is the unauthorized disclosure of sensitive information stored in the WordPress database. Attackers exploiting this vulnerability can extract user credentials, plugin configuration details, and potentially other sensitive data, leading to privacy violations and further compromise of the affected systems. Since the vulnerability does not affect integrity or availability directly, it does not enable data modification or denial of service, but the confidentiality breach alone can facilitate subsequent attacks such as account takeover or lateral movement within the network. Organizations relying on the coder426 Passwords Manager plugin are at risk of data leakage, which can damage reputation, incur regulatory penalties, and result in loss of customer trust. The fact that exploitation requires no authentication or user interaction increases the likelihood of automated scanning and exploitation attempts, especially as awareness of the vulnerability spreads. The impact is particularly severe for websites handling sensitive user data or operating in regulated industries.

1. Immediately restrict access to the vulnerable AJAX endpoints by implementing IP whitelisting or authentication requirements to reduce exposure. 2. Apply strict input validation and sanitization on all user-supplied parameters, especially those used in SQL queries, ensuring that $wpdb->prefix or any similar variables are properly escaped or parameterized. 3. Employ prepared statements or parameterized queries instead of direct string concatenation to prevent injection. 4. Monitor database logs and web server logs for unusual query patterns or repeated failed attempts indicative of injection attempts. 5. Disable or remove the coder426 Passwords Manager plugin if it is not essential, or replace it with a more secure alternative until an official patch is released. 6. Keep WordPress core and all plugins updated to the latest versions to benefit from security fixes. 7. Consider deploying a Web Application Firewall (WAF) with rules to detect and block SQL injection payloads targeting this plugin. 8. Educate site administrators about the risks of SQL injection and the importance of secure coding practices in plugin development.