Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Network-reachable plugin endpoint, no auth needed (PR:N), but victim must click/visit (UI:R); XSS escapes plugin scope into admin session (S:C) with low CIA impact per typical reflected XSS.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated Cross Site Scripting (XSS) in Notification for Telegram <= 3.5 versions.
AnalysisAI
Reflected/stored cross-site scripting in the Notification for Telegram WordPress plugin (versions <= 3.5) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser when they visit a crafted link or page. Patchstack attributes the issue to insufficient input sanitization in the plugin developed by rainafarai, and no public exploit code has been identified at time of analysis. The flaw carries CVSS 7.1 due to the scope change (S:C), reflecting that injected script runs in the WordPress admin or user context beyond the vulnerable component.
Technical ContextAI
The affected component is the 'Notification for Telegram' WordPress plugin (CPE cpe:2.3:a:rainafarai:notification_for_telegram), which integrates WordPress events with Telegram messaging. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-controlled input is rendered into HTML/JavaScript context without adequate escaping or sanitization. In WordPress plugin contexts, such flaws typically arise from missing esc_html(), esc_attr(), or wp_kses() calls on parameters that are reflected into plugin admin pages, frontend output, or settings screens. The scope change (S:C) in the CVSS vector indicates the injected script can affect security-relevant resources beyond the vulnerable plugin - most notably authenticated WordPress administrator sessions.
RemediationAI
No vendor-released patch version is identified in the available data - the Patchstack advisory documents the flaw against versions <= 3.5 but the input does not confirm a fixed release, so administrators should monitor the plugin's WordPress.org listing and the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/notification-for-telegram/vulnerability/wordpress-notification-for-telegram-plugin-3-5-cross-site-scripting-xss-vulnerability) for an upgrade beyond 3.5. As compensating controls until a patch is verified, deactivate and remove the plugin if it is not business-critical (fully eliminates exposure but removes Telegram notification functionality), or place the site behind a WAF such as Patchstack/Wordfence with XSS rules enabled (reduces but does not eliminate reflected-XSS payloads, and may produce false positives on legitimate admin input). Additionally, restrict /wp-admin access to known IPs and enforce a strict Content-Security-Policy header forbidding inline scripts and unknown origins - the trade-off is that some legitimate plugins relying on inline JavaScript may break.
More in Notification For Telegram
View allAuthorization bypass in the Notification for Telegram WordPress plugin (all versions through 3.5.1) allows authenticated
The Notification for Telegram plugin for WordPress is vulnerable to unauthorized test message sending due to a missing c
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36972
GHSA-2jm3-gfcg-hh57