Vulnerabilities and security researches forbot-for-telegram-on-woocommerce bot-for-telegram-on-woocommerce

Oct 14, 2024

CVE, Research URL: CVE-2024-9821
Home page URL: Security reports for Bot for Telegram on WooCommerce
Application: Bot for Telegram on WooCommerce
Date: Oct 12, 2024
Research Description: The Bot for Telegram on WooCommerce plugin for WordPress is vulnerable to sensitive information disclosure due to missing authorization checks on the 'stm_wpcfto_get_settings' AJAX action in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the Telegram Bot Token, a secret token used to control the bot, which can then be used to log in as any existing user on the site, such as an administrator, if they know the username, due to the Login with Telegram feature.
Affected versions: Min -, max -.
Status: vulnerable

May 24, 2025

CVE, Research URL: CVE-2025-48268
Home page URL: Security reports for Bot for Telegram on WooCommerce
Application: Bot for Telegram on WooCommerce
Date: May 19, 2025
Research Description: Missing Authorization vulnerability in Guru Team Bot for Telegram on WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bot for Telegram on WooCommerce: from n/a through 1.2.6.
Affected versions: Min -, max -.
Status: vulnerable