{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/pechenki/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-15298"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["TelSender plugin (\u003c= 1.14.14)","WordPress"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","xss","web-application","cve"],"_cs_type":"advisory","_cs_vendors":["pechenki","WordPress"],"content_html":"\u003cp\u003eA DOM-Based Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-15298, has been identified in the TelSender plugin for WordPress, affecting all versions up to and including 1.14.14. This vulnerability stems from insufficient input sanitization when the plugin processes Telegram API responses, specifically those containing attacker-controlled chat titles. Exploitation of this flaw enables unauthenticated attackers to inject arbitrary malicious scripts. These scripts are then executed in the context of an administrator's browser when they access the TelSender settings page and click the \u0026quot;Tested\u0026quot; button. This interaction triggers the client-side rendering of the unsanitized Telegram chat title, leading to the execution of the attacker's script. The vulnerability poses a significant risk as it can lead to session hijacking, credential theft, or further compromise of the WordPress site.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker Controls Telegram Chat Title:\u003c/strong\u003e An unauthenticated attacker registers a Telegram chat or group and sets its title to contain malicious JavaScript payload (e.g., \u003ccode\u003e\u0026lt;script\u0026gt;alert(document.cookie)\u0026lt;/script\u0026gt;\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTelSender Plugin Connects to Telegram:\u003c/strong\u003e The legitimate WordPress site administrator configures and connects the TelSender plugin to their Telegram account, allowing it to retrieve Telegram API responses, including chat titles.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Chat Title Stored/Processed:\u003c/strong\u003e The TelSender plugin processes the Telegram API response, which includes the attacker-controlled chat title. Due to insufficient sanitization, the malicious script within the chat title is embedded into the plugin's data structures or directly into the DOM.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAdministrator Accesses Settings:\u003c/strong\u003e The administrator navigates to the TelSender plugin's settings page within the WordPress admin dashboard.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAdministrator Clicks \u0026quot;Tested\u0026quot; Button:\u003c/strong\u003e The administrator interacts with the settings page, specifically clicking the \u0026quot;Tested\u0026quot; button. This action triggers the vulnerable client-side code within the plugin.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDOM-Based XSS Execution:\u003c/strong\u003e The plugin's JavaScript code renders the previously processed (and unsanitized) Telegram chat title directly into the Document Object Model (DOM) of the administrator's browser.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalicious Script Execution:\u003c/strong\u003e The injected malicious JavaScript payload executes within the administrator's browser context, potentially leading to session hijacking, credential theft, or further administrative actions on the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-15298 allows unauthenticated attackers to execute arbitrary JavaScript code within the context of an administrator's browser. This can lead to severe consequences, including but not limited to, complete administrative control over the affected WordPress website, theft of sensitive information (e.g., session cookies, login credentials), redirection of users to malicious sites, or defacement. While no specific victim numbers are available, WordPress plugins are widely deployed, making this a critical concern for organizations utilizing the TelSender plugin. Compromise of an administrator account can enable further attacks, including malware distribution or data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eUpgrade Immediately:\u003c/strong\u003e Patch the TelSender plugin to a version beyond 1.14.14 as soon as a fix is released to mitigate CVE-2026-15298.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDisable Vulnerable Plugin:\u003c/strong\u003e If an immediate patch is not available, disable or uninstall the TelSender plugin to remove the attack vector until a secure version can be deployed.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEducate Administrators:\u003c/strong\u003e Advise WordPress administrators to exercise caution when interacting with plugin settings, especially those that process external data, and to ensure all plugins are regularly updated.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T05:23:32Z","date_published":"2026-07-10T05:23:32Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-15298-telsender-xss/","summary":"The TelSender plugin for WordPress, versions up to and including 1.14.14, is vulnerable to DOM-Based Cross-Site Scripting (CWE-79), allowing unauthenticated attackers to inject malicious scripts via Telegram chat titles which execute within an administrator's browser upon interacting with the plugin's settings.","title":"CVE-2026-15298: WordPress TelSender Plugin DOM-Based Cross-Site Scripting","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-15298-telsender-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - Pechenki","version":"https://jsonfeed.org/version/1.1"}