Plateforme
wordpress
Composant
wptelegram-widget
Corrigé dans
2.2.14
CVE-2026-23807 describes a Reflected Cross-Site Scripting (XSS) vulnerability affecting the WP Telegram Widget and Join Link WordPress plugin. This flaw allows attackers to inject malicious JavaScript code into web pages viewed by other users. The vulnerability impacts versions from 0.0.0 through 2.2.13 and has been resolved in version 2.2.14. Prompt patching is recommended to prevent potential exploitation.
Successful exploitation of CVE-2026-23807 allows an attacker to execute arbitrary JavaScript code in the context of a victim's browser session. This can lead to various malicious outcomes, including session hijacking, credential theft (e.g., stealing login cookies), defacement of the website, and redirection to phishing sites. The attacker needs to trick a user into clicking a specially crafted link containing the malicious script. The blast radius extends to all users who visit the affected page with the injected script, potentially compromising sensitive data and website integrity.
CVE-2026-23807 was publicly disclosed on 2026-03-25. While no active exploitation campaigns have been publicly reported, the presence of a readily exploitable XSS vulnerability increases the risk of opportunistic attacks. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept code is likely to emerge, increasing the likelihood of exploitation.
Websites using the WP Telegram Widget and Join Link plugin, particularly those with user-generated content or public-facing forms, are at risk. Shared hosting environments where multiple websites share the same server resources are also more vulnerable, as a compromise on one site could potentially impact others.
• wordpress / composer / npm:
grep -r "wptelegram-widget" /var/www/html/wp-content/plugins/
wp plugin list | grep wptelegram-widget• generic web:
curl -I https://example.com/?url=XSS_PAYLOAD | grep Content-Typedisclosure
Statut de l'Exploit
EPSS
0.04% (percentile 11%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-23807 is to immediately upgrade the WP Telegram Widget and Join Link plugin to version 2.2.14 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on user-supplied data to reduce the risk of XSS. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of protection. Regularly scan your WordPress installation for vulnerabilities using security plugins.
Update to version 2.2.14, or a newer patched version
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-23807 is a Reflected XSS vulnerability in the WP Telegram Widget and Join Link plugin, allowing attackers to inject malicious scripts via crafted URLs.
You are affected if you are using WP Telegram Widget and Join Link versions 0.0.0 through 2.2.13. Upgrade to 2.2.14 or later to mitigate the risk.
Upgrade the WP Telegram Widget and Join Link plugin to version 2.2.14 or later. Consider input validation and WAF rules as additional protections.
No active exploitation campaigns have been publicly reported, but the vulnerability's ease of exploitation increases the risk of attacks.
Refer to the plugin developer's website or WordPress.org plugin repository for the latest information and updates regarding CVE-2026-23807.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.