DOM-Based Cross-Site Scripting Vulnerability in TelSender Plugin for WordPress
CVE-2026-15298
7.2HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 10 July 2026
What is CVE-2026-15298?
The TelSender plugin for WordPress is susceptible to DOM-Based Cross-Site Scripting due to inadequate input sanitization in all versions up to and including 1.14.14. This vulnerability arises when processing Telegram API responses that contain chat titles controlled by an attacker. Unauthenticated attackers can exploit this flaw to inject malicious scripts through the chat titles, which execute when an administrator accesses the TelSender settings page and clicks the 'Tested' button, potentially compromising site security.
Affected Version(s)
TelSender – Сontact form 7, Events, Wpforms, ninja forms and woocommerce to telegram bot 0 <= 1.14.14