CVE-2024-12615: 
WordPress vulnerability analysis and mitigation

The Passwords Manager plugin for WordPress (CVE-2024-12615) contains a SQL Injection vulnerability that affects all versions up to and including 1.4.8. The vulnerability was discovered and disclosed on January 16, 2025, impacting the plugin's AJAX actions functionality (NVD).

The vulnerability stems from insufficient escaping of the $wpdb->prefix value in several AJAX actions and lack of proper preparation in existing SQL queries. The issue has been assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The vulnerability is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to append additional SQL queries to existing queries, potentially enabling the extraction of sensitive information from the database (NVD).

Users should update to version 1.5.1 or later of the Passwords Manager plugin, which contains patches for the vulnerability. The fixes can be found in multiple files including the CSV export functionality and AJAX action handlers (WordPress Patch).