WordPress Plugin Vulnerabilities

TelSender < 1.14.15 - Unauthenticated Stored XSS via Telegram Chat Title

Description

The plugin is vulnerable to DOM-Based Cross-Site Scripting due to insufficient input sanitization when processing Telegram API responses containing attacker-controlled chat titles. This makes it possible for unauthenticated attackers to inject malicious scripts via Telegram chat titles that execute when an administrator opens the TelSender settings page and clicks the "Tested" button.

Affects Plugins

Plugin icon
telsender
Fixed in 1.14.15

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/cb02878a-2c85-4dcb-bdc0-e65addf9fb9c

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
7.1 (high)

Miscellaneous

Original Researcher
Kai Aizen
Verified
No
WPVDB ID
8667898e-be31-4e85-b45b-a418cd5a84db

Timeline

Publicly Published
2026-01-27 (about 4 months ago)
Added
2026-03-30 (about 2 months ago)
Last Updated
2026-03-30 (about 2 months ago)

Other

Published
Title
Published
2024-04-06
Title
Beaver Themer < 1.4.9.1 - Authenticated(Contributor+) Stored Cross-Site Scripting via shortcode
Published
2024-12-13
Title
IMS Countdown < 1.3.6 - Contributor+ Stored XSS
Published
2017-01-11
Title
WordPress 3.4-4.7 - Stored Cross-Site Scripting (XSS) via Theme Name fallback
Published
2024-06-26
Title
Elementor Addon Elements < 1.13.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-06-23
Title
Flexo Counter <= 1.0001 - Reflected Cross-Site Scripting