Your accusations are completely false and quite serious. If they were true, I urge you to report them directly to WordPress.org, as they have a zero-tolerance policy for such malicious claims.
Let me be clear: there is no file named “guetebberg.js” in the plugin. The only file is “gutenberg.js,” and you can verify the content for version 3.6.3 here: https://plugins.svn.wordpress.org/telegram-bot/tags/3.6.3/.
Furthermore, the vulnerability you mentioned does not involve sending external credentials. It relates to a minor “sanitize” XSS issue concerning the plugin’s settings, which can only be exploited by users with administrative access. This is not the serious threat you are implying. You can check it here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34006
The development is transparent and you can also follow it on GitHub: https://github.com/WPGov/telegram-bot.
Your claims are unfounded, and I encourage you to verify the facts yourself rather than giving unnecessary credit to AI, because the entire codebase is public and the “malware” you mentioned never existed.
