Sensitive Information Disclosure Vulnerability in Telegram on WooCommerce Plugin
CVE-2024-9821

8.8HIGH

Key Information:

Vendor

Wordpress
Status
Bot For Telegram On WooCommerce
Vendor
CVE Published:
12 October 2024

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 27%

What is CVE-2024-9821?

The Bot for Telegram on WooCommerce plugin for WordPress has a vulnerability that allows authenticated attackers to exploit missing authorization checks on the 'stm_wpcfto_get_settings' AJAX action. This issue affects all versions up to and including 1.2.4. Attackers with subscriber-level access or higher can access sensitive information, including the Telegram Bot Token. This secret token is crucial as it permits control over the bot and may enable unauthorized access to any existing user account, notably an administrative account, if the username is known. This vulnerability highlights the importance of implementing robust authorization measures to safeguard sensitive information.

Affected Version(s)

Bot for Telegram on WooCommerce * <= 1.2.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-9821
Created by RandomRobbieBF

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/bot-for-telegr...

EPSS Score

27% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

István Márton
.