<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Pechenki - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/pechenki/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 05:23:32 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/pechenki/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-15298: WordPress TelSender Plugin DOM-Based Cross-Site Scripting</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-15298-telsender-xss/</link><pubDate>Fri, 10 Jul 2026 05:23:32 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-15298-telsender-xss/</guid><description>The TelSender plugin for WordPress, versions up to and including 1.14.14, is vulnerable to DOM-Based Cross-Site Scripting (CWE-79), allowing unauthenticated attackers to inject malicious scripts via Telegram chat titles which execute within an administrator's browser upon interacting with the plugin's settings.</description><content:encoded><![CDATA[<p>A DOM-Based Cross-Site Scripting (XSS) vulnerability, tracked as CVE-2026-15298, has been identified in the TelSender plugin for WordPress, affecting all versions up to and including 1.14.14. This vulnerability stems from insufficient input sanitization when the plugin processes Telegram API responses, specifically those containing attacker-controlled chat titles. Exploitation of this flaw enables unauthenticated attackers to inject arbitrary malicious scripts. These scripts are then executed in the context of an administrator's browser when they access the TelSender settings page and click the &quot;Tested&quot; button. This interaction triggers the client-side rendering of the unsanitized Telegram chat title, leading to the execution of the attacker's script. The vulnerability poses a significant risk as it can lead to session hijacking, credential theft, or further compromise of the WordPress site.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Attacker Controls Telegram Chat Title:</strong> An unauthenticated attacker registers a Telegram chat or group and sets its title to contain malicious JavaScript payload (e.g., <code>&lt;script&gt;alert(document.cookie)&lt;/script&gt;</code>).</li>
<li><strong>TelSender Plugin Connects to Telegram:</strong> The legitimate WordPress site administrator configures and connects the TelSender plugin to their Telegram account, allowing it to retrieve Telegram API responses, including chat titles.</li>
<li><strong>Malicious Chat Title Stored/Processed:</strong> The TelSender plugin processes the Telegram API response, which includes the attacker-controlled chat title. Due to insufficient sanitization, the malicious script within the chat title is embedded into the plugin's data structures or directly into the DOM.</li>
<li><strong>Administrator Accesses Settings:</strong> The administrator navigates to the TelSender plugin's settings page within the WordPress admin dashboard.</li>
<li><strong>Administrator Clicks &quot;Tested&quot; Button:</strong> The administrator interacts with the settings page, specifically clicking the &quot;Tested&quot; button. This action triggers the vulnerable client-side code within the plugin.</li>
<li><strong>DOM-Based XSS Execution:</strong> The plugin's JavaScript code renders the previously processed (and unsanitized) Telegram chat title directly into the Document Object Model (DOM) of the administrator's browser.</li>
<li><strong>Malicious Script Execution:</strong> The injected malicious JavaScript payload executes within the administrator's browser context, potentially leading to session hijacking, credential theft, or further administrative actions on the WordPress site.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-15298 allows unauthenticated attackers to execute arbitrary JavaScript code within the context of an administrator's browser. This can lead to severe consequences, including but not limited to, complete administrative control over the affected WordPress website, theft of sensitive information (e.g., session cookies, login credentials), redirection of users to malicious sites, or defacement. While no specific victim numbers are available, WordPress plugins are widely deployed, making this a critical concern for organizations utilizing the TelSender plugin. Compromise of an administrator account can enable further attacks, including malware distribution or data exfiltration.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Upgrade Immediately:</strong> Patch the TelSender plugin to a version beyond 1.14.14 as soon as a fix is released to mitigate CVE-2026-15298.</li>
<li><strong>Disable Vulnerable Plugin:</strong> If an immediate patch is not available, disable or uninstall the TelSender plugin to remove the attack vector until a secure version can be deployed.</li>
<li><strong>Educate Administrators:</strong> Advise WordPress administrators to exercise caution when interacting with plugin settings, especially those that process external data, and to ensure all plugins are regularly updated.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>wordpress</category><category>plugin</category><category>xss</category><category>web-application</category><category>cve</category></item></channel></rss>