WordPress Plugin Vulnerabilities

WP Telegram Widget and Join Link < 2.2.14 - Reflected Cross-Site Scripting

Description

The WP Telegram Widget and Join Link plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.2.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
wptelegram-widget
Fixed in 2.2.14

References

CVE
CVE-2026-23807
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/65f89b65-7231-469e-bd7d-cf6a1d962652

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
johska
Verified
No
WPVDB ID
843ca788-3abc-48a2-8b6e-dc9cdf52293e

Timeline

Publicly Published
2026-03-23 (about 2 months ago)
Added
2026-03-26 (about 1 month ago)
Last Updated
2026-03-26 (about 1 month ago)

Other

Published
Title
Published
2024-10-24
Title
Import and export users and customers < 1.27.6 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-02-28
Title
System Dashboard < 2.8.10 - XSS via Header Injection
Published
2023-10-20
Title
Add Custom Body Class <= 1.4.1 - Contributor+ Stored Cross-Site Scripting
Published
2025-09-05
Title
Course Booking Platform <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-12-20
Title
real.Kit <= 5.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting