Skip to main content

Wp Telegram Widget And Join Link CVE-2026-23807

| EUVDEUVD-2026-15543 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-ccc6-97ww-gq9h
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15543
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Socio WP Telegram Widget and Join Link wptelegram-widget allows Reflected XSS.This issue affects WP Telegram Widget and Join Link: from n/a through <= 2.2.13.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the WP Telegram Widget and Join Link WordPress plugin (versions up to 2.2.13) that allows attackers to inject malicious JavaScript code into web pages viewed by other users. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and affects all installations of this plugin running the vulnerable versions. An attacker can craft a malicious URL containing JavaScript payloads that, when clicked by a victim, executes arbitrary code in the victim's browser within the context of the WordPress site, potentially leading to session hijacking, credential theft, or malware distribution. No CVSS score, EPSS data, or KEV status has been published, but Patchstack has documented this vulnerability with a public reference.

Technical ContextAI

The WP Telegram Widget and Join Link plugin (identified via CPE cpe:2.3:a:wp_socio:wp_telegram_widget_and_join_link:*:*:*:*:*:*:*:*) is a WordPress plugin that provides functionality to embed Telegram widgets and generate join links within WordPress sites. The root cause is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning the plugin fails to properly sanitize and escape user-supplied input before rendering it in HTML output. Reflected XSS occurs when an attacker injects malicious input through URL parameters or form data, which the application reflects back in the HTTP response without sanitization. In the context of WordPress plugins, this typically means request parameters are directly echoed into page output without using WordPress escaping functions such as esc_html(), esc_attr(), or wp_kses_post().

RemediationAI

The primary remediation is to upgrade WP Telegram Widget and Join Link to a patched version newer than 2.2.13 as soon as it becomes available from the plugin vendor (WP Socio). Website administrators should immediately check the WordPress plugin repository or the vendor's official website for a security update. Until a patch is released, administrators should consider disabling the plugin if it is not critical to site functionality, or restrict access to the widget features via WordPress user role management to limit exposure to untrusted users. Additionally, implement Content Security Policy (CSP) headers via the site's web server or WordPress security plugins (such as Wordfence) to mitigate reflected XSS impact by preventing inline script execution. Monitor the Patchstack advisory link (https://patchstack.com/database/Wordpress/Plugin/wptelegram-widget/) for patch availability announcements and apply updates immediately upon release.

Share

CVE-2026-23807 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy