Skip to main content

Notification for Telegram CVE-2026-40732

| EUVDEUVD-2026-36972 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-15 Patchstack GHSA-2jm3-gfcg-hh57
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Network-reachable plugin endpoint, no auth needed (PR:N), but victim must click/visit (UI:R); XSS escapes plugin scope into admin session (S:C) with low CIA impact per typical reflected XSS.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:14 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in Notification for Telegram <= 3.5 versions.

AnalysisAI

Reflected/stored cross-site scripting in the Notification for Telegram WordPress plugin (versions <= 3.5) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser when they visit a crafted link or page. Patchstack attributes the issue to insufficient input sanitization in the plugin developed by rainafarai, and no public exploit code has been identified at time of analysis. The flaw carries CVSS 7.1 due to the scope change (S:C), reflecting that injected script runs in the WordPress admin or user context beyond the vulnerable component.

Technical ContextAI

The affected component is the 'Notification for Telegram' WordPress plugin (CPE cpe:2.3:a:rainafarai:notification_for_telegram), which integrates WordPress events with Telegram messaging. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controlled input is rendered into HTML/JavaScript context without adequate escaping or sanitization. In WordPress plugin contexts, such flaws typically arise from missing esc_html(), esc_attr(), or wp_kses() calls on parameters that are reflected into plugin admin pages, frontend output, or settings screens. The scope change (S:C) in the CVSS vector indicates the injected script can affect security-relevant resources beyond the vulnerable plugin - most notably authenticated WordPress administrator sessions.

RemediationAI

No vendor-released patch version is identified in the available data - the Patchstack advisory documents the flaw against versions <= 3.5 but the input does not confirm a fixed release, so administrators should monitor the plugin's WordPress.org listing and the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/notification-for-telegram/vulnerability/wordpress-notification-for-telegram-plugin-3-5-cross-site-scripting-xss-vulnerability) for an upgrade beyond 3.5. As compensating controls until a patch is verified, deactivate and remove the plugin if it is not business-critical (fully eliminates exposure but removes Telegram notification functionality), or place the site behind a WAF such as Patchstack/Wordfence with XSS rules enabled (reduces but does not eliminate reflected-XSS payloads, and may produce false positives on legitimate admin input). Additionally, restrict /wp-admin access to known IPs and enforce a strict Content-Security-Policy header forbidding inline scripts and unknown origins - the trade-off is that some legitimate plugins relying on inline JavaScript may break.

Share

CVE-2026-40732 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy