{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13068", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-12T14:03:10.655Z", "datePublished": "2025-11-25T04:38:01.612Z", "dateUpdated": "2026-04-08T17:35:08.349Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:35:08.349Z"}, "affected": [{"vendor": "milmor", "product": "Telegram Bot & Channel", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Telegram Bot & Channel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Telegram username in all versions up to, and including, 4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Telegram Bot & Channel <= 4.1 - Unauthenticated Stored Cross-Site Scripting via Telegram Username", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fe4774ee-16f2-478f-92e3-8a7da7b30336?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/telegram-bot/tags/4.1/columns.php#L45"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "venom 5iix"}], "timeline": [{"time": "2025-10-28T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-11-12T14:19:20.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-24T16:29:12.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-25T16:58:21.103430Z", "id": "CVE-2025-13068", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T16:58:29.844Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13068", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-25T16:58:21.103430Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T16:58:25.620Z"}}], "cna": {"title": "Telegram Bot & Channel <= 4.1 - Unauthenticated Stored Cross-Site Scripting via Telegram Username", "credits": [{"lang": "en", "type": "finder", "value": "venom 5iix"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "milmor", "product": "Telegram Bot & Channel", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-28T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-11-12T14:19:20.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-24T16:29:12.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fe4774ee-16f2-478f-92e3-8a7da7b30336?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/telegram-bot/tags/4.1/columns.php#L45"}], "descriptions": [{"lang": "en", "value": "The Telegram Bot & Channel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Telegram username in all versions up to, and including, 4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:35:08.349Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13068", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:35:08.349Z", "dateReserved": "2025-11-12T14:03:10.655Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-25T04:38:01.612Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Telegram Bot & Channel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Telegram username in all versions up to, and including, 4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-13068", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-25T05:16:08.830", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/telegram-bot/tags/4.1/columns.php#L45"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fe4774ee-16f2-478f-92e3-8a7da7b30336?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:21:12.737470+00:00", "value": {"mitigation_remediation": ["Upgrade the Telegram Bot & Channel plugin to the latest available version that has fixed the XSS issue.", "If an update is unavailable, modify the plugin\u2019s username handler to enforce strict server\u2011side sanitization and ensure all output is properly escaped before rendering.", "Consider disabling or removing the ability to set the Telegram username in the plugin if the feature is unnecessary for your deployment."], "summary": {"action": "Patch Now", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Any WordPress site that installed the Telegram Bot & Channel plugin in any version up to and including 4.1 is affected. The plugin is maintained by the milmor vendor within the WordPress ecosystem.", "description_and_impact": "The vulnerability resides in the Telegram Bot & Channel plugin for WordPress, where the Telegram username field is insufficiently sanitized before it is stored and later output without proper escaping. This flaw allows an attacker who does not need authentication to embed arbitrary client\u2011side scripts that will run when any user views a page containing the injected username. The result is typical XSS abuse: session hijacking, credential theft, defacement or execution of malicious payloads in the context of the visiting user. The weakness is cataloged as CWE\u201179, a classic unvalidated input scenario leading to script injection.", "risk_and_exploitability": "The CVSS score of 7.2 signifies high potential impact, yet the EPSS score of less than 1% indicates that the likelihood of exploitation remains low at this time. The vulnerability is not listed in CISA KEV, suggesting no known large\u2011scale exploit activity. Attackers can achieve exploitation simply by submitting a malicious username via the plugin interface; no additional credentials or privileged access are required."}}}}, "created": "2025-11-27T09:45:25.303008+00:00", "updated": "2026-04-21T01:30:24.390005+00:00", "vendors": ["milmor", "milmor$PRODUCT$telegram_bot_&_channel", "wordpress", "wordpress$PRODUCT$wordpress"]}