A plugin called “Bot for Telegram on WooCommerce” for WordPress has a security issue that could reveal private information. This happens because the plugin does not have proper checks for authorization on a certain action called “stm_wpcfto_get_settings”. This vulnerability affects all versions of the plugin up to version 1.2.4. It allows attackers who are logged in as subscribers or higher to see the Telegram Bot Token. This token is a secret code that controls the bot. With this token, attackers could potentially log in as any user on the website, including administrators, if they know the username. This is due to a feature that lets users log in with their Telegram account.