Skip to main content

Notification For Telegram

3 CVEs product

Monthly

CVE-2026-7620 MEDIUM This Month

Authorization bypass in the Notification for Telegram WordPress plugin (all versions through 3.5.1) allows authenticated subscribers to manipulate WordPress cron scheduling logic. Authenticated attackers with subscriber-level access or above can create, modify, or reschedule the nftb_cron_hook cron event due to missing authorization checks in nftncron.php, disrupting the plugin's background task scheduling for Telegram notifications. No public exploit or active exploitation has been identified at time of analysis; CVSS rates this Medium (4.3) with integrity-only impact.

Authentication Bypass WordPress Notification For Telegram
NVD
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-40732 HIGH This Week

Reflected/stored cross-site scripting in the Notification for Telegram WordPress plugin (versions <= 3.5) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser when they visit a crafted link or page. Patchstack attributes the issue to insufficient input sanitization in the plugin developed by rainafarai, and no public exploit code has been identified at time of analysis. The flaw carries CVSS 7.1 due to the scope change (S:C), reflecting that injected script runs in the WordPress admin or user context beyond the vulnerable component.

XSS Notification For Telegram
NVD
CVSS 3.1
7.1
EPSS
0.2%
CVE-2024-9685 MEDIUM PATCH This Month

The Notification for Telegram plugin for WordPress is vulnerable to unauthorized test message sending due to a missing capability check on the 'nftb_test_action' function in versions up to, and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass WordPress Notification For Telegram
NVD
CVSS 3.1
4.3
EPSS
0.3%
EPSS 0% CVSS 4.3
MEDIUM This Month

Authorization bypass in the Notification for Telegram WordPress plugin (all versions through 3.5.1) allows authenticated subscribers to manipulate WordPress cron scheduling logic. Authenticated attackers with subscriber-level access or above can create, modify, or reschedule the nftb_cron_hook cron event due to missing authorization checks in nftncron.php, disrupting the plugin's background task scheduling for Telegram notifications. No public exploit or active exploitation has been identified at time of analysis; CVSS rates this Medium (4.3) with integrity-only impact.

Authentication Bypass WordPress Notification For Telegram
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Reflected/stored cross-site scripting in the Notification for Telegram WordPress plugin (versions <= 3.5) allows unauthenticated remote attackers to inject malicious JavaScript that executes in a victim's browser when they visit a crafted link or page. Patchstack attributes the issue to insufficient input sanitization in the plugin developed by rainafarai, and no public exploit code has been identified at time of analysis. The flaw carries CVSS 7.1 due to the scope change (S:C), reflecting that injected script runs in the WordPress admin or user context beyond the vulnerable component.

XSS Notification For Telegram
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The Notification for Telegram plugin for WordPress is vulnerable to unauthorized test message sending due to a missing capability check on the 'nftb_test_action' function in versions up to, and. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. This Missing Authorization vulnerability could allow attackers to access resources or perform actions without proper authorization checks.

Authentication Bypass WordPress Notification For Telegram
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy