CVE-2024-9687: 
WordPress vulnerability analysis and mitigation

The WP 2FA with Telegram plugin for WordPress contains an Authentication Bypass vulnerability (CVE-2024-9687) affecting versions up to and including 3.0. The vulnerability was discovered and disclosed on October 14, 2024, impacting the WordPress plugin's two-factor authentication functionality (NVD CVE).

The vulnerability stems from insufficient validation of the user-controlled key on the 'validate_tg' action. The issue has been assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) (Wordfence Advisory).

This vulnerability allows authenticated attackers with subscriber-level permissions or higher to bypass authentication controls and log in as any existing user on the site, including administrators. This effectively compromises the entire authentication system of affected WordPress installations (NVD CVE).

Site administrators running affected versions of the WP 2FA with Telegram plugin should upgrade to version 3.1 or later when available. Until then, it is recommended to consider disabling the plugin or implementing additional security controls to restrict access to authenticated functionality (NVD CVE).