Unauthenticated Disclosure of Sensitive Information in TeploBot for WordPress
CVE-2024-9627

8.6HIGH

Key Information:

Vendor: WordPress
Status: Teplobot – Telegram Bot For WP
Vendor: CVE Published:; 22 October 2024

What is CVE-2024-9627?

The TeploBot - Telegram Bot for WP plugin for WordPress has a vulnerability that affects its 'service_process' function, where lack of sufficient authorization checks can lead to the unintended exposure of sensitive information. Specifically, unauthenticated users can gain access to the Telegram Bot Token, a crucial secret that enables control over the bot. This issue poses significant security risks, as the exposed token may allow malicious actors to manipulate or hijack the bot's operations.

Affected Version(s)

TeploBot – Telegram Bot for WP 0 <= 1.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/green-wp-teleg...

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 22, 2024

CVE-2024-9627 Data

JSON