CVE-2024-12615 is an SQL Injection vulnerability classified under CWE-89 affecting the Passwords Manager plugin for WordPress developed by coder426. The vulnerability arises from improper neutralization of special elements in SQL commands, specifically due to insufficient escaping of the $wpdb->prefix parameter in multiple AJAX actions. This parameter is user-supplied and not adequately sanitized or prepared before being incorporated into SQL queries, allowing attackers with authenticated access at Subscriber level or above to append malicious SQL code. Exploitation enables attackers to extract sensitive information from the WordPress database, such as user credentials or other confidential data stored by the plugin. The vulnerability affects all versions up to and including 1.4.8. The CVSS v3.1 base score is 6.5, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. The vulnerability does not affect data integrity or availability but compromises confidentiality. No patches or fixes are currently linked, and no known exploits have been observed in the wild. The flaw underscores the importance of proper input validation and use of prepared statements in WordPress plugin development to prevent SQL Injection attacks.

The primary impact of CVE-2024-12615 is unauthorized disclosure of sensitive information stored in the WordPress database via SQL Injection. Attackers with low-level authenticated access can exploit this vulnerability remotely without user interaction, potentially extracting user credentials, personal data, or other confidential plugin-related information. This can lead to privacy violations, data breaches, and further exploitation if attackers leverage stolen data for privilege escalation or lateral movement. Although the vulnerability does not directly affect data integrity or availability, the confidentiality breach can damage organizational reputation, lead to regulatory penalties, and increase risk exposure. Organizations running WordPress sites with the affected Passwords Manager plugin are at risk, especially if they allow Subscriber-level users or higher to interact with AJAX endpoints. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, as attackers may develop exploits given the publicly available vulnerability details.

To mitigate CVE-2024-12615, organizations should first check for and apply any available updates or patches from the plugin vendor once released. Until patches are available, administrators should restrict Subscriber-level and higher user access to minimize exploitation risk. Implementing Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the $wpdb->prefix parameter in AJAX requests can provide temporary protection. Reviewing and hardening AJAX endpoint permissions to ensure only trusted users can access sensitive functionality is recommended. Additionally, site owners should audit their WordPress environment for other plugins or themes with similar SQL injection risks and enforce the principle of least privilege for user roles. Employing database activity monitoring to detect anomalous queries and maintaining regular backups will aid in incident response. Finally, developers should refactor the plugin code to use prepared statements and proper input sanitization to eliminate the root cause of the vulnerability.