CVE-2024-9686

The Order Notification for Telegram plugin for WordPress is vulnerable to unauthorized test message sending due to a missing capability check on the 'nktgnfw_send_test_message' function in versions up to, and including, 1.0.1. This makes it possible for unauthenticated attackers to send a test message via the Telegram Bot API to the user configured in the settings.
Configurations

Configuration 1 (hide)

cpe:2.3:a:choplugins:order_notification_for_telegram:*:*:*:*:*:wordpress:*:*

History

06 Nov 2024, 16:19

Type Values Removed Values Added
CPE cpe:2.3:a:choplugins:order_notification_for_telegram:*:*:*:*:*:wordpress:*:*
References () https://plugins.trac.wordpress.org/browser/order-notification-for-telegram/tags/1.0.1/inc/admin_ajax.php#L5 - () https://plugins.trac.wordpress.org/browser/order-notification-for-telegram/tags/1.0.1/inc/admin_ajax.php#L5 - Product
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/c182b4f2-c67b-4e82-a790-6d98946ebf2c?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/c182b4f2-c67b-4e82-a790-6d98946ebf2c?source=cve - Third Party Advisory
First Time Choplugins order Notification For Telegram
Choplugins

25 Oct 2024, 12:56

Type Values Removed Values Added
Summary
  • (es) El complemento Order Notification for Telegram para WordPress es vulnerable al envío no autorizado de mensajes de prueba debido a una falta de verificación de capacidad en la función 'nktgnfw_send_test_message' en versiones hasta la 1.0.1 incluida. Esto hace posible que atacantes no autenticados envíen un mensaje de prueba a través de la API de bots de Telegram al usuario configurado en la configuración.

25 Oct 2024, 05:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-10-25 05:15

Updated : 2024-11-06 16:19


NVD link : CVE-2024-9686

Mitre link : CVE-2024-9686

CVE.ORG link : CVE-2024-9686


JSON object : View

Products Affected

choplugins

  • order_notification_for_telegram
CWE
CWE-862

Missing Authorization