Skip to main content

TelSender EUVDEUVD-2026-42805

| CVE-2026-15298 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-10 security@wordfence.com GHSA-fxxv-579v-962v
7.2
CVSS 3.1 · Vendor: wordfence
Share

Severity by source

Vendor (wordfence) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Unauthenticated injection (PR:N) but the payload only fires when an admin opens settings and clicks 'Tested', so UI:R; DOM XSS runs in the admin context giving S:C with limited C:L/I:L and no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (wordfence).

CVSS VectorVendor: wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 10, 2026 - 05:37 vuln.today
CVE Published
Jul 10, 2026 - 05:16 nvd
HIGH 7.2

DescriptionCVE.org

The TelSender plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting in all versions up to, and including, 1.14.14. This is due to insufficient input sanitization when processing Telegram API responses containing attacker-controlled chat titles. This makes it possible for unauthenticated attackers to inject malicious scripts via Telegram chat titles that execute when an administrator opens the TelSender settings page and clicks the "Tested" button.

AnalysisAI

DOM-based cross-site scripting in the TelSender WordPress plugin (all versions through 1.14.14) lets unauthenticated attackers plant a malicious payload inside a Telegram chat title that the plugin renders unsanitized. When an administrator opens the TelSender settings page and clicks the 'Tested' button, the plugin processes the attacker-controlled Telegram API response and executes the injected script in the admin's authenticated browser session. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Rename attacker-controlled Telegram chat with payload
Delivery
Bot enumerates chat titles via API
Exploit
Admin opens TelSender settings, clicks 'Tested'
Execution
Unsanitized title injected into DOM
Persist
Script runs in admin session
Impact
Session hijack / rogue admin created

Vulnerability AssessmentAI

Exploitation Exploitation requires that the WordPress site runs TelSender (≤1.14.14) configured with a Telegram bot, and that the attacker can control a Telegram chat title that the bot will enumerate - i.e. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and should temper the 7.2 rating. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker creates or renames a Telegram group/channel so its title contains a script payload (e.g. an image tag with an onerror handler) and maneuvers the target site's TelSender bot into that chat. …
Remediation A source-code fix appears in the plugin's trunk changeset (https://plugins.trac.wordpress.org/changeset?reponame=&old=3449367%40telsender&new=3449367%40telsender), so an upstream fix is available but a specific tagged patched release version is not independently confirmed from the provided data - administrators should update TelSender to the latest available version above 1.14.14 once published and verify the changeset is included. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress installations running TelSender plugin and immediately disable it as a temporary measure to block exploitation. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-42805 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy