CVE-2026-15298 in TelSender Plugininfo

Summary

by MITRE • 07/10/2026

The TelSender plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting in all versions up to, and including, 1.14.14. This is due to insufficient input sanitization when processing Telegram API responses containing attacker-controlled chat titles. This makes it possible for unauthenticated attackers to inject malicious scripts via Telegram chat titles that execute when an administrator opens the TelSender settings page and clicks the "Tested" button.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/10/2026

The TelSender WordPress plugin presents a significant security risk through a DOM-Based Cross-Site Scripting vulnerability that affects all versions up to and including 1.14.14. This flaw resides in the plugin's insufficient input sanitization mechanisms when processing responses from the Telegram API, specifically targeting chat titles that can be controlled by attackers. The vulnerability operates at the client-side level where malicious scripts injected into Telegram chat titles are executed within the browser context of administrators who interact with the plugin's interface.

The technical exploitation pathway involves an unauthenticated attacker crafting malicious input within Telegram chat titles that get processed and displayed by the TelSender plugin. When administrators navigate to the plugin settings page and click the "Tested" button, the DOM-based XSS vulnerability is triggered as the malicious script content gets executed in their browser session. This represents a classic dom-based xss vector where the attack payload is delivered through the URL or DOM elements rather than traditional server-side input parameters, making it particularly insidious as it can bypass many standard server-side security controls.

The operational impact of this vulnerability extends beyond simple script execution as it provides attackers with potential access to administrative sessions and sensitive data within the WordPress environment. The vulnerability creates a persistent threat vector that requires administrative interaction to exploit, meaning attackers must convince administrators to perform specific actions such as clicking the "Tested" button. This social engineering component makes the attack more challenging but also more dangerous when successful, as it can lead to complete administrative compromise of the WordPress site.

The vulnerability aligns with CWE-79 which specifically addresses Cross-Site Scripting flaws in web applications, and demonstrates characteristics consistent with ATT&CK technique T1566.002 for initial access through spearphishing attachments or links. The exploitation requires minimal privileges from attackers but can result in significant damage to the targeted WordPress installation. Organizations should prioritize immediate patching of affected versions and implement additional security controls such as Content Security Policy headers to mitigate the risk of successful exploitation.

Administrative users should be educated about the risks associated with clicking untrusted links or interacting with potentially malicious content within plugin interfaces, while security teams should monitor for signs of exploitation attempts through unusual activity in the TelSender plugin settings. The vulnerability underscores the importance of proper input validation and sanitization at all levels of web application development, particularly when handling user-controllable data from external APIs. Organizations maintaining WordPress installations should conduct thorough security assessments to identify similar vulnerabilities in other plugins and ensure comprehensive protection against DOM-based XSS attacks through proper security hardening measures.

Responsible

Wordfence

Reservation

07/09/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!