CVE-2024-9628 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the WPS Telegram Chat plugin for WordPress, versions up to and including 4.5.4. The core issue lies in the absence of a capability check within the 'Wps_Telegram_Chat_Admin::checkСonnection' function, which is responsible for verifying authorized access before allowing interaction with the Telegram Bot API endpoint. Because of this missing authorization, any authenticated user with subscriber-level privileges or higher can exploit this flaw to send commands or modify data via the Telegram Bot API, potentially leading to unauthorized data modification or loss. The vulnerability has a CVSS 3.1 base score of 6.3, indicating medium severity, with an attack vector of network (remote), low attack complexity, requiring privileges (low-level authenticated user), no user interaction, and unchanged scope. The flaw impacts confidentiality, integrity, and availability by allowing unauthorized access to bot communication channels, which could be leveraged to manipulate messages, disrupt bot operations, or exfiltrate data. Although no public exploits are currently known, the ease of exploitation by low-privileged authenticated users makes this a significant risk for affected installations. The vulnerability affects all versions of the plugin up to 4.5.4, and no official patch links are currently provided, emphasizing the need for immediate mitigation steps.

The vulnerability allows low-privileged authenticated users (subscribers and above) to interact with the Telegram Bot API endpoint without proper authorization, which can lead to unauthorized data modification or deletion. This compromises the confidentiality and integrity of data transmitted through the Telegram bot integration and may disrupt availability if the bot is manipulated or disabled. Organizations relying on this plugin for communication or notification purposes could face operational disruptions, data leakage, or manipulation of automated messaging. Attackers could potentially use this access to send malicious or misleading messages via the Telegram bot, damaging organizational reputation or misleading users. Since WordPress is widely used globally, and Telegram is popular for business and community communications, the impact could be broad, especially for organizations that rely heavily on this integration for critical workflows.

1. Immediately restrict subscriber-level and other low-privileged user access to the WordPress admin dashboard or specifically to the WPS Telegram Chat plugin settings until a patch is available. 2. Monitor and audit user roles and permissions to ensure only trusted users have access to the plugin features. 3. Disable the WPS Telegram Chat plugin if it is not essential or if secure alternatives exist. 4. Implement Web Application Firewall (WAF) rules to detect and block unauthorized attempts to access the Telegram Bot API endpoints via the plugin. 5. Regularly review WordPress user accounts and remove or downgrade unnecessary accounts with subscriber or higher privileges. 6. Stay alert for official patches or updates from the vendor and apply them promptly once released. 7. Consider isolating the Telegram bot communication to a separate, more secure environment or using alternative secure integration methods. 8. Conduct internal security awareness to prevent misuse of subscriber accounts that could exploit this vulnerability.