CVE-2024-9821
📋 TL;DR
This vulnerability allows authenticated WordPress users with subscriber-level access or higher to retrieve the Telegram Bot Token via an AJAX endpoint without proper authorization. Attackers can use this token to log in as any existing user, including administrators, through the Login with Telegram feature. All WordPress sites using the Bot for Telegram on WooCommerce plugin up to version 1.2.4 are affected.
💻 Affected Systems
- Bot for Telegram on WooCommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain Telegram Bot Token, use it to log in as administrator, gain full control of the WordPress site, and potentially compromise the entire web server.
Likely Case
Attackers steal Telegram Bot Token and use it to impersonate users, potentially accessing sensitive data or performing unauthorized actions.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized token viewing without successful exploitation.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward via AJAX requests. Public proof-of-concept exists in vulnerability references.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.2.5 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/bot-for-telegram-on-woocommerce/trunk/nuxy/helpers/helpers.php?rev=2575772#L54
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Bot for Telegram on WooCommerce'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.2.5+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoint
allRemove or restrict access to the 'stm_wpcfto_get_settings' AJAX action
Add to theme's functions.php or custom plugin: remove_action('wp_ajax_stm_wpcfto_get_settings', 'stm_wpcfto_get_settings');
Add to .htaccess if using Apache: RewriteRule ^wp-admin/admin-ajax\.php\?action=stm_wpcfto_get_settings - [F,L]
Restrict user registration
allPrevent new user registrations to limit potential attackers
In WordPress Settings > General, uncheck 'Anyone can register'
Add to wp-config.php: define('WP_DEFAULT_ROLE', 'subscriber'); // Or remove if not needed
🧯 If You Can't Patch
- Immediately disable the Bot for Telegram on WooCommerce plugin
- Implement web application firewall rules to block requests to the vulnerable AJAX endpoint
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin > Plugins. If version is 1.2.4 or lower, you are vulnerable.Check Version:
wp plugin list --name='Bot for Telegram on WooCommerce' --field=version (WP-CLI) or check WordPress admin panelVerify Fix Applied:
After updating, verify plugin version is 1.2.5 or higher. Test AJAX endpoint access with subscriber account - should return authorization error.📡 Detection & Monitoring
Log Indicators:
- Multiple AJAX requests to 'admin-ajax.php' with 'action=stm_wpcfto_get_settings' from non-admin users
- Unusual user logins via Telegram authentication
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action parameter containing 'stm_wpcfto_get_settings'
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "stm_wpcfto_get_settings" AND user_role!="administrator"