Scan free
HIGHCVE-2026-23807CVSS 7.1

CVE-2026-23807: Reflected XSS in WP Telegram Widget

Platform

wordpress

Component

wptelegram-widget

Fixed in

2.2.14

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2026-23807 describes a Reflected Cross-Site Scripting (XSS) vulnerability affecting the WP Telegram Widget and Join Link WordPress plugin. This flaw allows attackers to inject malicious JavaScript code into web pages viewed by other users. The vulnerability impacts versions from 0.0.0 through 2.2.13 and has been resolved in version 2.2.14. Prompt patching is recommended to prevent potential exploitation.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

Successful exploitation of CVE-2026-23807 allows an attacker to execute arbitrary JavaScript code in the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, credential theft (e.g., stealing login cookies), defacement of the website, and redirection to phishing sites. The attacker needs to trick a user into clicking a specially crafted link containing the malicious script. The blast radius extends to all users who visit the affected page with the injected script, potentially compromising sensitive data and website integrity.

Exploitation Context

CVE-2026-23807 was publicly disclosed on 2026-03-25. While no active exploitation campaigns have been publicly reported, the presence of a readily exploitable XSS vulnerability increases the risk of opportunistic attacks. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept code is likely to emerge, increasing the likelihood of exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.04% (11% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L7.1HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityLowRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
Low — partial or intermittent denial of service. Attacker can degrade performance.

Affected Software

Componentwptelegram-widget
Vendorwordfence
Affected rangeFixed in
0.0.0 – 2.2.132.2.14

Package Information

Active installs
4KKnown
Plugin rating
4.9
Requires WordPress
6.6+
Compatible up to
6.9.4
Requires PHP
8.0+
Homepage

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-23807 is to immediately upgrade the WP Telegram Widget and Join Link plugin to version 2.2.14 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on user-supplied data to reduce the risk of XSS. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of protection. Regularly scan your WordPress installation for vulnerabilities using security plugins.

How to fix

Update to version 2.2.14, or a newer patched version

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-23807 — Reflected XSS in WP Telegram Widget?

CVE-2026-23807 is a Reflected XSS vulnerability in the WP Telegram Widget and Join Link plugin, allowing attackers to inject malicious scripts via crafted URLs.

Am I affected by CVE-2026-23807 in WP Telegram Widget?

You are affected if you are using WP Telegram Widget and Join Link versions 0.0.0 through 2.2.13. Upgrade to 2.2.14 or later to mitigate the risk.

How do I fix CVE-2026-23807 in WP Telegram Widget?

Upgrade the WP Telegram Widget and Join Link plugin to version 2.2.14 or later. Consider input validation and WAF rules as additional protections.

Is CVE-2026-23807 being actively exploited?

No active exploitation campaigns have been publicly reported, but the vulnerability's ease of exploitation increases the risk of attacks.

Where can I find the official WP Telegram Widget advisory for CVE-2026-23807?

Refer to the plugin developer's website or WordPress.org plugin repository for the latest information and updates regarding CVE-2026-23807.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs