Passwords Manager WordPress Plugin Missing Capability Check Vulnerability

A vulnerability exists in the Passwords Manager plugin for WordPress, in all versions through 1.4.8. The issue stems from a lack of proper capability checks on the 'pms_save_setting' and 'post_new_pass' AJAX actions. This flaw allows authenticated attackers with Subscriber-level access and above to unauthorizedly modify plugin settings, add passwords, and update the encryption key used for password management.

Impact

Exploitation of this vulnerability allows for unauthorized addition of passwords and modification of the encryption key, which could lead to unauthorized access to password data.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'pms_save_setting' or 'post_new_pass' AJAX actions without the necessary capability checks being enforced. This can be done by including the 'security_nonce' parameter to bypass nonce verification and directly manipulating the 'setting_key' or password data being sent.

Remediation

Users are advised to update the Passwords Manager plugin to version 1.5.1 or later, where this vulnerability has been patched.