CVE-2024-9627

HIGH

TeploBot - Telegram Bot for WP <= 1.3 - Unauthenticated Sensitive Information Exposure via service_process Function

Title source: llm

Description

The TeploBot - Telegram Bot for WP plugin for WordPress is vulnerable to sensitive information disclosure due to missing authorization checks on the 'service_process' function in all versions up to, and including, 1.3. This makes it possible for unauthenticated attackers to view the Telegram Bot Token, which is a secret token to control the bot.

References (2)

Core 2

Core References

Product

https://plugins.trac.wordpress.org/browser/green-wp-telegram-bot-by-teplitsa/trunk/inc/core.php?rev=1754863#L266

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/091dadcb-71ac-4321-b3aa-72b5fbbd9163?source=cve

Scores

CVSS v3 8.6

EPSS 0.0035

EPSS Percentile 26.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (2)

gsuvorov/TeploBot – Telegram Bot for WP < 1.3

te-st/teplobot < 1.3

Published Oct 22, 2024

Tracked Since Feb 18, 2026