Main Vulnerability Database SB2024101759

SB2024101759 - Authentication bypass in Bot for Telegram on WooCommerce for WordPress

Published: October 17, 2024

Security Bulletin ID SB2024101759

Severity

High

Patch available

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Missing Authorization (CVE-ID: CVE-2024-9821)

The vulnerability allows a remote user to compromise the website.

The vulnerability exists due to missing authorization on the "stm_wpcfto_get_settings" AJAX action. A remote authenticated user can obtain the secret Telegram token for bot control and use it to login under an arbitrary account on the website, including administrative account via the Login with Telegram feature.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/a662c904-ba2e-494c-a603-b22eeeddf43d?source=cve
https://plugins.trac.wordpress.org/browser/bot-for-telegram-on-woocommerce/trunk/nuxy/helpers/helpers.php?rev=2575772#L54