Impact
The vulnerability allows an attacker to inject arbitrary script code into the WordPress Notification for Telegram plugin without authentication. The injected script would run in the browser context of any user who views content that triggers the plugin, giving the attacker the ability to execute malicious actions in that context. The flaw is identified as a CWE‑79 (Cross‑Site Scripting) weakness.
Affected Systems
WordPress sites that have installed the Notification for Telegram plugin from rainafarai with version 3.5 or earlier are affected. The vulnerability is fixed in version 3.5.1 and later, so environments running those earlier releases remain at risk.
Risk and Exploitability
The CVSS score of 7.1 indicates a high severity, while the EPSS score of less than 1 % reflects a low probability of exploitation. The flaw is not listed in the CISA KEV catalog. Because the XSS payload can be injected without authentication, the attack vector is broadly available to adversaries who can direct a victim to load a page that incorporates the plugin or craft a message that causes the plugin to display unsanitized content.
OpenCVE Enrichment