Home

Description

The Order Notification for Telegram plugin for WordPress is vulnerable to unauthorized test message sending due to a missing capability check on the 'nktgnfw_send_test_message' function in versions up to, and including, 1.0.1. This makes it possible for unauthenticated attackers to send a test message via the Telegram Bot API to the user configured in the settings.

PUBLISHED Reserved 2024-10-09 | Published 2024-10-25 | Updated 2024-10-25 | Assigner Wordfence




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

* (semver)
affected

Timeline

2024-10-09:Discovered
2024-10-09:Vendor Notified
2024-10-24:Disclosed

Credits

István Márton finder

References

www.wordfence.com/...-c67b-4e82-a790-6d98946ebf2c?source=cve

plugins.trac.wordpress.org/.../tags/1.0.1/inc/admin_ajax.php

cve.org (CVE-2024-9686)

nvd.nist.gov (CVE-2024-9686)

Download JSON