CVE-2026-40732

Vulnerability

The Notification for Telegram plugin for WordPress versions 3.5 and earlier contains an unauthenticated Cross-Site Scripting (XSS) vulnerability [1]. The flaw resides in insufficient input sanitization, allowing an attacker to inject arbitrary HTML and JavaScript into pages without requiring any prior authentication or special privileges.

Exploitation

An unauthenticated attacker can deliver a malicious payload through a crafted request to the vulnerable plugin. Successful exploitation requires an authenticated user (such as a site administrator) to perform an action, such as clicking a link or visiting a prepared page, which triggers the injected script. This user-interaction requirement is documented in the advisory [1].

Impact

Upon execution, the attacker can execute arbitrary scripts in the context of the victim's browser. This may result in redirects, injection of advertisements, theft of session cookies, or other malicious actions that affect website visitors and compromise the integrity of the WordPress instance [1].

Mitigation

The vulnerability is resolved in version 3.5.1 of the plugin. Users are strongly advised to update to this version immediately. For those unable to update, Patchstack provides a virtual mitigation rule that blocks exploitation attempts [1]. No other workarounds are mentioned in the available references.