{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23807", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-16T14:15:17.505Z", "datePublished": "2026-03-25T16:14:29.657Z", "dateUpdated": "2026-04-28T16:14:47.237Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "wptelegram-widget", "product": "WP Telegram Widget and Join Link", "vendor": "WP Socio", "versions": [{"changes": [{"at": "2.2.14", "status": "unaffected"}], "lessThanOrEqual": "2.2.13", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "johska | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:18:32.174Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Socio WP Telegram Widget and Join Link wptelegram-widget allows Reflected XSS.<p>This issue affects WP Telegram Widget and Join Link: from n/a through <= 2.2.13.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Socio WP Telegram Widget and Join Link wptelegram-widget allows Reflected XSS.This issue affects WP Telegram Widget and Join Link: from n/a through <= 2.2.13."}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:47.237Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/wptelegram-widget/vulnerability/wordpress-wp-telegram-widget-and-join-link-plugin-2-2-13-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress WP Telegram Widget and Join Link plugin <= 2.2.13 - Reflected Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:18:05.369226Z", "id": "CVE-2026-23807", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T15:47:41.514Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23807", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:18:05.369226Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:18:06.397Z"}}], "cna": {"title": "WordPress WP Telegram Widget and Join Link plugin <= 2.2.13 - Reflected Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "johska | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-591", "descriptions": [{"lang": "en", "value": "Reflected XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WP Socio", "product": "WP Telegram Widget and Join Link", "versions": [{"status": "affected", "changes": [{"at": "2.2.14", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "2.2.13"}], "packageName": "wptelegram-widget", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:18:32.174Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/wptelegram-widget/vulnerability/wordpress-wp-telegram-widget-and-join-link-plugin-2-2-13-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Socio WP Telegram Widget and Join Link wptelegram-widget allows Reflected XSS.This issue affects WP Telegram Widget and Join Link: from n/a through <= 2.2.13.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Socio WP Telegram Widget and Join Link wptelegram-widget allows Reflected XSS.<p>This issue affects WP Telegram Widget and Join Link: from n/a through <= 2.2.13.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:03.978Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23807", "state": "PUBLISHED", "dateUpdated": "2026-04-28T15:47:41.514Z", "dateReserved": "2026-01-16T14:15:17.505Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:14:29.657Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WP Socio WP Telegram Widget and Join Link wptelegram-widget allows Reflected XSS.This issue affects WP Telegram Widget and Join Link: from n/a through <= 2.2.13."}, {"lang": "es", "value": "Vulnerabilidad de Neutralizaci\u00f3n Incorrecta de la Entrada Durante la Generaci\u00f3n de P\u00e1ginas Web ('cross-site scripting') en WP Socio WP Telegram Widget and Join Link wptelegram-widget permite XSS Reflejado. Este problema afecta a WP Telegram Widget and Join Link: desde n/a hasta &lt;= 2.2.13."}], "id": "CVE-2026-23807", "lastModified": "2026-04-24T16:32:53.997", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:16:36.000", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/wptelegram-widget/vulnerability/wordpress-wp-telegram-widget-and-join-link-plugin-2-2-13-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.13]"}}], "enrichment": {"confidence": 99.0, "confidence_source": "matching", "scores": [{"score": 99.0, "source": "matching"}]}, "original": {"product": "WP Telegram Widget and Join Link", "source": "cna", "vendor": "WP Socio"}, "product": "wp_telegram_widget_and_join_link", "vendor": "wpsocio"}], "analysis": {"en": {"generated_at": "2026-03-25T22:43:18.679561+00:00", "value": {"mitigation_remediation": ["Upgrade WP Socio WP Telegram Widget and Join Link to version 2.2.14 or later, if available.", "If the update cannot be applied immediately, remove or disable the widget from publicly accessible pages until a patch is available.", "Implement stricter input validation and output escaping on user\u2011controlled parameters to mitigate XSS until the official fix is installed."], "summary": {"action": "Apply Patch", "impact": "Cross\u2011Site Scripting (Reflected)"}, "threat_synthesis": {"affected_systems": "WP Socio WP Telegram Widget and Join Link plugin is impacted on all installations running version 2.2.13 or earlier. No other versions are affected.", "description_and_impact": "WP Socio WP Telegram Widget and Join Link plugin allows an attacker to inject malicious JavaScript via unsanitized user input, enabling reflected XSS. The flaw lets the attacker embed arbitrary scripts that execute in the browser of any user who visits a crafted page. This can lead to defacement of the site, theft of session cookies, or other client\u2011side compromise.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 7.1. The attack requires a malicious URL or form submission that an unsuspecting user clicks or submits. Because the input is reflected in the response without escaping, a successful exploit is straightforward for an attacker with minimal skill. The CVSS score reflects that an attacker can gain both confidentiality and integrity through persistent client\u2011side code execution. The EPSS score is not available, and the issue is not listed in the KEV catalog."}}}}, "created": "2026-03-25T21:34:59.441676+00:00", "updated": "2026-03-26T12:13:13.440136+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpsocio", "wpsocio$PRODUCT$wp_telegram_widget_and_join_link"]}