The vulnerability is a missing authorization flaw that allows an attacker to exploit incorrectly configured access control levels within the Guru Team Bot for Telegram on WooCommerce plugin. An unauthenticated or poorly authenticated user could gain access to bot functionalities that should be restricted, potentially enabling manipulation of bot settings, message delivery, or other privileged operations. The weakness is classified as CWE-862, indicating improper enforcement of authority.

The affected product is Guru Team Bot for Telegram on WooCommerce. All installations of the plugin up to, and including, version 1.2.6 are impacted. Versions earlier than the first public release are also susceptible if they ever installed the plugin. No specific operating system or environment constraints are listed; the issue exists within the WordPress plugin code base.

The CVSS score of 4.3 places this flaw in the moderate range, yet the EPSS score of less than 1% indicates a very low likelihood of exploitation at the current time. The vulnerability is not listed in the CISA KEV catalog, suggesting it is not known to be actively exploited in the wild. While the exact attack vector is not detailed in the description, it is inferred that the flaw could be leveraged remotely through normal WordPress administrative interfaces or potentially publicly exposed plugin endpoints that fail to enforce proper access controls.