cleantalk
Vulnerabilities and Security Researches

Bot for Telegram on WooCommerce, CVE-2024-9821

CVE, Research URL

CVE-2024-9821

Home page URL

Security reports for Bot for Telegram on WooCommerce

Application

Bot for Telegram on WooCommerce

Published on
Oct 12, 2024
Research Description
The Bot for Telegram on WooCommerce plugin for WordPress is vulnerable to sensitive information disclosure due to missing authorization checks on the 'stm_wpcfto_get_settings' AJAX action in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to view the Telegram Bot Token, a secret token used to control the bot, which can then be used to log in as any existing user on the site, such as an administrator, if they know the username, due to the Login with Telegram feature.
Affected versions
Min -, max 1.2.4.
Status
vulnerable
Previous vulnerability researches
Bot for Telegram on WooCommerce (CVE-2024-9821) , Oct 14, 2024
Bot for Telegram on WooCommerce (CVE-2025-48268) , May 24, 2025
New vulnerability
Additional Custom Emails for WooCommerce (CVE-2025-48251) , May 24, 2025
WP SMTP (CVE-2025-1123) , May 24, 2025
Bot for Telegram on WooCommerce (CVE-2025-48268) , May 24, 2025
WP Image Mask (CVE-2025-48235) , May 23, 2025
TablePress – Tables in WordPress made easy (CVE-2025-5096) , May 23, 2025