DOM-Based Cross-Site Scripting Vulnerability in TelSender Plugin for WordPress
CVE-2026-15298

7.2HIGH

What is CVE-2026-15298?

The TelSender plugin for WordPress is susceptible to DOM-Based Cross-Site Scripting due to inadequate input sanitization in all versions up to and including 1.14.14. This vulnerability arises when processing Telegram API responses that contain chat titles controlled by an attacker. Unauthenticated attackers can exploit this flaw to inject malicious scripts through the chat titles, which execute when an administrator accesses the TelSender settings page and clicks the 'Tested' button, potentially compromising site security.

Affected Version(s)

TelSender – Сontact form 7, Events, Wpforms, ninja forms and woocommerce to telegram bot 0 <= 1.14.14

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kai Aizen
.