CVE-2024-9687

Name of the Vulnerable Software and Affected Versions WP 2FA with Telegram plugin for WordPress versions up to, and including, 3.0

Description The issue is due to insufficient validation of the user-controlled key on the 'validate tg' action. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to log in as any existing user on the site, such as an administrator.

Recommendations For WP 2FA with Telegram plugin for WordPress versions up to, and including, 3.0, consider disabling the validate tg action until a patch is available to prevent exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.