CVE-2024-9628

The WPS Telegram Chat plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Wps_Telegram_Chat_Admin::checkСonnection' function in versions up to, and including, 4.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the Telegram Bot API endpoint and communicate with it.

CVSS v3 6.3 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/wps-telegram-chat/tags/4.5.4/admin/class-wps-telegram-chat-admin.php#L176
https://www.wordfence.com/threat-intel/vulnerabilities/id/c7f7e545-5e14-421e-90b4-bc54b23d0fe6?source=cve

Configurations

No configuration.

History

25 Oct 2024, 16:15

Type	Values Removed	Values Added
Summary	(en) The WPS Telegram Chat plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Wps_Telegram_Chat_Admin::check?onnection' function in versions up to, and including, 4.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the Telegram Bot API endpoint and communicate with it.	(en) The WPS Telegram Chat plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Wps_Telegram_Chat_Admin::checkСonnection' function in versions up to, and including, 4.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the Telegram Bot API endpoint and communicate with it.

25 Oct 2024, 12:56

Type	Values Removed	Values Added
Summary		(es) El complemento WPS Telegram Chat para WordPress es vulnerable a la modificación no autorizada de datos y a la pérdida de datos debido a la falta de una comprobación de capacidad en la función 'Wps_Telegram_Chat_Admin::check?onnection' en versiones hasta la 4.5.4 incluida. Esto permite que atacantes autenticados, con acceso de nivel de suscriptor y superior, tengan acceso completo al endpoint de la API de Telegram Bot y se comuniquen con él.
Summary	(en) The WPS Telegram Chat plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Wps_Telegram_Chat_Admin::checkСonnection' function in versions up to, and including, 4.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the Telegram Bot API endpoint and communicate with it.	(en) The WPS Telegram Chat plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the 'Wps_Telegram_Chat_Admin::check?onnection' function in versions up to, and including, 4.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the Telegram Bot API endpoint and communicate with it.

25 Oct 2024, 08:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-25 08:15

Updated : 2024-10-25 16:15

NVD link : CVE-2024-9628

Mitre link : CVE-2024-9628

CVE.ORG link : CVE-2024-9628

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

6.3 /10