Unauthenticated Disclosure of Sensitive Information in TeploBot for WordPress
CVE-2024-9627

7.3HIGH

Key Information:

Vendor: Wordpress
Status: Teplobot
Vendor: CVE Published:; 22 October 2024

Summary

The TeploBot - Telegram Bot for WP plugin for WordPress has a vulnerability that affects its 'service_process' function, where lack of sufficient authorization checks can lead to the unintended exposure of sensitive information. Specifically, unauthenticated users can gain access to the Telegram Bot Token, a crucial secret that enables control over the bot. This issue poses significant security risks, as the exposed token may allow malicious actors to manipulate or hijack the bot's operations.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/green-wp-teleg...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 22, 2024