CVE-2025-58794

Vulnerability

Overview A Cross-Site Request Forgery (CSRF) vulnerability exists in the WordPress plugin Notification for Telegram versions up to and including 3.5. The issue stems from insufficient validation of requests, allowing an attacker to trick authenticated users into performing unintended actions without their consent [1].

Exploitation

Exploitation requires user interaction, such as a privileged user clicking a malicious link or visiting a crafted page. The attacker does not need direct authentication but must induce a logged-in administrator or other high-privilege user to execute the forged request. This can occur via social engineering or other deceptive methods [1].

Impact

Successful exploitation enables an attacker to perform actions under the victim's current session, potentially leading to unauthorized changes in plugin settings, notification configurations, or other administrative functions. The CVSS v3 base score is 4.3 (Medium) due to the requirement for user interaction [1].

Mitigation

The vulnerability is addressed in version 3.5.2 of the plugin. Users are advised to update immediately. Patchstack recommends enabling auto-updates for vulnerable plugins. If an update is not possible, consult a hosting provider for temporary workarounds [1].