CVE-2024-9628: 
WordPress vulnerability analysis and mitigation

The WPS Telegram Chat plugin for WordPress contains a vulnerability (CVE-2024-9628) due to a missing capability check on the 'Wps_Telegram_Chat_Admin::checkСonnection' function in versions up to and including 4.5.4. This security flaw was discovered and reported by Wordfence, with the initial disclosure made on October 25, 2024 (NVD).

The vulnerability stems from a missing authorization check in the plugin's admin functionality. The affected component is the 'Wps_Telegram_Chat_Admin::checkСonnection' function, which lacks proper capability verification. The severity of this vulnerability has been assessed with multiple CVSS scores: NIST assigned a CVSS v3.1 base score of 6.5 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, while Wordfence rated it at 6.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. The vulnerability is classified as CWE-862 (Missing Authorization) (NVD).

The vulnerability allows authenticated attackers with subscriber-level access or higher to gain full access to the Telegram Bot API endpoint and communicate with it. This can lead to unauthorized modification of data and potential data loss (NVD).

Users should upgrade to a version newer than 4.5.4 of the WPS Telegram Chat plugin to address this vulnerability (NVD).