Platform
wordpress
Component
wptelegram-widget
Fixed in
2.2.14
CVE-2026-23807 describes a Reflected Cross-Site Scripting (XSS) vulnerability affecting the WP Telegram Widget and Join Link WordPress plugin. This flaw allows attackers to inject malicious JavaScript code into web pages viewed by other users. The vulnerability impacts versions from 0.0.0 through 2.2.13 and has been resolved in version 2.2.14. Prompt patching is recommended to prevent potential exploitation.
Successful exploitation of CVE-2026-23807 allows an attacker to execute arbitrary JavaScript code in the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, credential theft (e.g., stealing login cookies), defacement of the website, and redirection to phishing sites. The attacker needs to trick a user into clicking a specially crafted link containing the malicious script. The blast radius extends to all users who visit the affected page with the injected script, potentially compromising sensitive data and website integrity.
CVE-2026-23807 was publicly disclosed on 2026-03-25. While no active exploitation campaigns have been publicly reported, the presence of a readily exploitable XSS vulnerability increases the risk of opportunistic attacks. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept code is likely to emerge, increasing the likelihood of exploitation.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-23807 is to immediately upgrade the WP Telegram Widget and Join Link plugin to version 2.2.14 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on user-supplied data to reduce the risk of XSS. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of protection. Regularly scan your WordPress installation for vulnerabilities using security plugins.
Update to version 2.2.14, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-23807 is a Reflected XSS vulnerability in the WP Telegram Widget and Join Link plugin, allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using WP Telegram Widget and Join Link versions 0.0.0 through 2.2.13. Upgrade to 2.2.14 or later to mitigate the risk.
Upgrade the WP Telegram Widget and Join Link plugin to version 2.2.14 or later. Consider input validation and WAF rules as additional protections.
No active exploitation campaigns have been publicly reported, but the vulnerability's ease of exploitation increases the risk of attacks.
Refer to the plugin developer's website or WordPress.org plugin repository for the latest information and updates regarding CVE-2026-23807.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.