Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Socio WP Telegram Widget and Join Link wptelegram-widget allows Reflected XSS.This issue affects WP Telegram Widget and Join Link: from n/a through <= 2.2.13.
AnalysisAI
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the WP Telegram Widget and Join Link WordPress plugin (versions up to 2.2.13) that allows attackers to inject malicious JavaScript code into web pages viewed by other users. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and affects all installations of this plugin running the vulnerable versions. An attacker can craft a malicious URL containing JavaScript payloads that, when clicked by a victim, executes arbitrary code in the victim's browser within the context of the WordPress site, potentially leading to session hijacking, credential theft, or malware distribution. No CVSS score, EPSS data, or KEV status has been published, but Patchstack has documented this vulnerability with a public reference.
Technical ContextAI
The WP Telegram Widget and Join Link plugin (identified via CPE cpe:2.3:a:wp_socio:wp_telegram_widget_and_join_link:*:*:*:*:*:*:*:*) is a WordPress plugin that provides functionality to embed Telegram widgets and generate join links within WordPress sites. The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning the plugin fails to properly sanitize and escape user-supplied input before rendering it in HTML output. Reflected XSS occurs when an attacker injects malicious input through URL parameters or form data, which the application reflects back in the HTTP response without sanitization. In the context of WordPress plugins, this typically means request parameters are directly echoed into page output without using WordPress escaping functions such as esc_html(), esc_attr(), or wp_kses_post().
RemediationAI
The primary remediation is to upgrade WP Telegram Widget and Join Link to a patched version newer than 2.2.13 as soon as it becomes available from the plugin vendor (WP Socio). Website administrators should immediately check the WordPress plugin repository or the vendor's official website for a security update. Until a patch is released, administrators should consider disabling the plugin if it is not critical to site functionality, or restrict access to the widget features via WordPress user role management to limit exposure to untrusted users. Additionally, implement Content Security Policy (CSP) headers via the site's web server or WordPress security plugins (such as Wordfence) to mitigate reflected XSS impact by preventing inline script execution. Monitor the Patchstack advisory link (https://patchstack.com/database/Wordpress/Plugin/wptelegram-widget/) for patch availability announcements and apply updates immediately upon release.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15543
GHSA-ccc6-97ww-gq9h