Skip to main content

Notification for Telegram CVE-2026-7620

| EUVDEUVD-2026-43131 MEDIUM
Missing Authorization (CWE-862)
2026-07-11 Wordfence GHSA-76px-9qj6-wjpg
4.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
4.3 MEDIUM

Network-accessible endpoint requires only subscriber auth (PR:L); integrity-only impact limited to cron manipulation; no confidentiality or availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 05:00 vuln.today
CVE Published
Jul 11, 2026 - 03:44 cve.org
MEDIUM 4.3

DescriptionCVE.org

The Notification for Telegram plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.5.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to create, modify, or reschedule the nftb_cron_hook WordPress cron event, enabling unauthorized manipulation of the plugin's background task scheduling logic.

AnalysisAI

Authorization bypass in the Notification for Telegram WordPress plugin (all versions through 3.5.1) allows authenticated subscribers to manipulate WordPress cron scheduling logic. Authenticated attackers with subscriber-level access or above can create, modify, or reschedule the nftb_cron_hook cron event due to missing authorization checks in nftncron.php, disrupting the plugin's background task scheduling for Telegram notifications. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain WordPress subscriber account
Delivery
Authenticate to target WordPress site
Exploit
Send crafted request to nftncron.php cron endpoint
Execution
Bypass missing authorization check
Persist
Manipulate nftb_cron_hook scheduling
Impact
Suppress or alter Telegram plugin notifications

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid WordPress account with at minimum subscriber-level privileges on the target site - unauthenticated exploitation is not possible per CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, score 4.3) reflects a realistic, constrained risk profile: network-reachable, low complexity, but requiring authenticated subscriber access, with only low integrity impact and no confidentiality or availability compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who registers or already holds a WordPress subscriber account on a vulnerable site sends a crafted authenticated request targeting the plugin's cron management endpoint in nftncron.php, bypassing the missing authorization check. By rescheduling or repeatedly triggering nftb_cron_hook, the attacker could suppress legitimate Telegram security or operational notifications, potentially masking other malicious activity on the site. …
Remediation Upstream fix available via WordPress plugin repository changeset 3524838 (https://plugins.trac.wordpress.org/changeset?reponame=&old=3524838%40notification-for-telegram&new=3524838%40notification-for-telegram); the exact patched release version is not independently confirmed from available data - WordPress site administrators should update to the latest available version of the plugin through the WordPress dashboard, which will deploy the trunk-based fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-7620 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy