Back to overview

CVE-2026-15298

HIGH
7.2
CVSS 3.1
Description
The TelSender plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting in all versions up to, and including, 1.14.14. This is due to insufficient input sanitization when processing Telegram API responses containing attacker-controlled chat titles. This makes it possible for unauthenticated attackers to inject malicious scripts via Telegram chat titles that execute when an administrator opens the TelSender settings page and clicks the "Tested" button.

Metadata

CVE ID
CVE-2026-15298
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-07-09 15:53 UTC
Published
2026-07-10 04:31 UTC
Last updated
2026-07-10 04:31 UTC
Primary CWE
CWE-79
CWE-79 Improper Neutralization of Input During Web Page Gene…
Vendor / Product
pechenki / TelSender – Сontact form 7, Events, Wpforms, ninja forms and woocommerce to telegram bot
Sources
cve.org  ·  NVD

Severity & Metrics

7.2 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Affected products (1)
VendorProductPlatformVersions
pechenki TelSender – Сontact form 7, Events, Wpforms, ninja forms and woocommerce to telegram bot 0 ≤ 1.14.14
Weakness (CWE)
CWESourceDescription
CWE-79 cna CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.2 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Back to overview