CVE-2025-13068 - Vulnerability Details

- Telegram Bot & Channel <= 4.1 - Unauthenticated Stored Cross-Site Scripting via Telegram Username

Description

The Telegram Bot & Channel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Telegram username in all versions up to, and including, 4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Published: 2025-11-25

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the Telegram Bot & Channel plugin for WordPress, where the Telegram username field is insufficiently sanitized before it is stored and later output without proper escaping. This flaw allows an attacker who does not need authentication to embed arbitrary client‑side scripts that will run when any user views a page containing the injected username. The result is typical XSS abuse: session hijacking, credential theft, defacement or execution of malicious payloads in the context of the visiting user. The weakness is cataloged as CWE‑79, a classic unvalidated input scenario leading to script injection.

Affected Systems

Any WordPress site that installed the Telegram Bot & Channel plugin in any version up to and including 4.1 is affected. The plugin is maintained by the milmor vendor within the WordPress ecosystem.

Risk and Exploitability

The CVSS score of 7.2 signifies high potential impact, yet the EPSS score of less than 1% indicates that the likelihood of exploitation remains low at this time. The vulnerability is not listed in CISA KEV, suggesting no known large‑scale exploit activity. Attackers can achieve exploitation simply by submitting a malicious username via the plugin interface; no additional credentials or privileged access are required.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

milmor

Telegram Bot & Channel

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.1

No data.

Vendor	Product	Confidence	Versions
Milmor	Telegram Bot & Channel	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Telegram Bot & Channel plugin to the latest available version that has fixed the XSS issue.
If an update is unavailable, modify the plugin’s username handler to enforce strict server‑side sanitization and ensure all output is properly escaped before rendering.
Consider disabling or removing the ability to set the Telegram username in the plugin if the feature is unnecessary for your deployment.

Generated by OpenCVE AI on April 21, 2026 at 01:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00142.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/telegram-bot/tags/4.1/columns.php#L45
https://www.wordfence.com/threat-intel/vulnerabilities/id/fe4774ee-16f2-478f-92e3-8a7da7b30336?source=cve

History

Thu, 27 Nov 2025 10:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Milmor Milmor telegram Bot & Channel Wordpress Wordpress wordpress
Vendors & Products		Milmor Milmor telegram Bot & Channel Wordpress Wordpress wordpress

Tue, 25 Nov 2025 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 25 Nov 2025 05:00:00 +0000

Type	Values Removed	Values Added
Description		The Telegram Bot & Channel plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Telegram username in all versions up to, and including, 4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title		Telegram Bot & Channel <= 4.1 - Unauthenticated Stored Cross-Site Scripting via Telegram Username
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/telegram-bot/tags/4.1/columns.php#L45 https://www.wordfence.com/threat-intel/vulnerabilities/id/fe4774ee-16f2-478f-92e3-8a7da7b30336?source=cve
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Milmor Telegram Bot & Channel

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-11-25T04:38:01.612Z

Updated: 2026-04-08T17:35:08.349Z

Reserved: 2025-11-12T14:03:10.655Z

Link: CVE-2025-13068

Vulnrichment

Updated: 2025-11-25T16:58:25.620Z

NVD

Status : Deferred

Published: 2025-11-25T05:16:08.830

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13068

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T01:30:24Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object