Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Unauthenticated injection (PR:N) but the payload only fires when an admin opens settings and clicks 'Tested', so UI:R; DOM XSS runs in the admin context giving S:C with limited C:L/I:L and no availability impact.
Primary rating from Vendor (wordfence).
CVSS VectorVendor: wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The TelSender plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting in all versions up to, and including, 1.14.14. This is due to insufficient input sanitization when processing Telegram API responses containing attacker-controlled chat titles. This makes it possible for unauthenticated attackers to inject malicious scripts via Telegram chat titles that execute when an administrator opens the TelSender settings page and clicks the "Tested" button.
AnalysisAI
DOM-based cross-site scripting in the TelSender WordPress plugin (all versions through 1.14.14) lets unauthenticated attackers plant a malicious payload inside a Telegram chat title that the plugin renders unsanitized. When an administrator opens the TelSender settings page and clicks the 'Tested' button, the plugin processes the attacker-controlled Telegram API response and executes the injected script in the admin's authenticated browser session. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the WordPress site runs TelSender (≤1.14.14) configured with a Telegram bot, and that the attacker can control a Telegram chat title that the bot will enumerate - i.e. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed and should temper the 7.2 rating. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker creates or renames a Telegram group/channel so its title contains a script payload (e.g. an image tag with an onerror handler) and maneuvers the target site's TelSender bot into that chat. … |
| Remediation | A source-code fix appears in the plugin's trunk changeset (https://plugins.trac.wordpress.org/changeset?reponame=&old=3449367%40telsender&new=3449367%40telsender), so an upstream fix is available but a specific tagged patched release version is not independently confirmed from the provided data - administrators should update TelSender to the latest available version above 1.14.14 once published and verify the changeset is included. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all WordPress installations running TelSender plugin and immediately disable it as a temporary measure to block exploitation. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42805
GHSA-fxxv-579v-962v