Does Notification for Telegram have any unpatched vulnerabilities?

Yes — Notification for Telegram currently has 2 unpatched vulnerabilities. We recommend switching to an alternative or applying any available workarounds.

Is Notification for Telegram compatible with WordPress 6.9.4?

According to WordPress.org data, Notification for Telegram 3.5 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Notification for Telegram compatible with PHP 7.4+?

Notification for Telegram requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Notification for Telegram updated?

Notification for Telegram was last updated on Feb 27, 2026. Frequent updates are generally a positive security signal.

What is Notification for Telegram's security score?

Notification for Telegram has a WP-Safety security score of 54/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Notification for Telegram Security & Risk Analysis

wordpress.org/plugins/notification-for-telegram

Sends notifications to Telegram users or groups, when some events occur in WordPress.

4K active installs v3.5 PHP 7.4+ WP 4.0+ Updated Feb 27, 2026

aimcpnotificationtelegramwoocommerce

C · Use Caution

CVEs total3

Unpatched2

Last CVENov 29, 2025

Plugin page Download

Safety Verdict

Is Notification for Telegram Safe to Use in 2026?

Use With Caution

Score 54/100

Notification for Telegram has 2 unpatched vulnerabilities. Evaluate alternatives or apply available mitigations.

3 known CVEs 2 unpatched Last CVE: Nov 29, 2025Updated 1mo ago

Risk Assessment

The "notification-for-telegram" plugin v3.5 exhibits a mixed security posture. While it demonstrates good practices like using prepared statements for all SQL queries and a relatively high percentage of properly escaped output, significant concerns arise from its attack surface and vulnerability history. The presence of three AJAX handlers and one REST API route without adequate authorization checks presents a substantial risk of unauthorized actions. The taint analysis, though limited in scope, revealed flows with unsanitized paths, indicating potential for further exploitation if these entry points are not secured.

The plugin's vulnerability history is particularly troubling, with three known medium-severity CVEs, two of which remain unpatched. The prevalence of Missing Authorization and Cross-Site Request Forgery (CSRF) vulnerabilities in its past suggests a recurring weakness in how user input and actions are handled and secured. The most recent vulnerability was discovered in late 2025, indicating that ongoing security issues are not being addressed promptly.

In conclusion, the "notification-for-telegram" plugin has several strengths in its code, particularly regarding database interactions and output sanitization. However, these are overshadowed by critical weaknesses in authorization controls for its entry points and a concerning pattern of past vulnerabilities that are not being fully remediated. The plugin's overall security posture is therefore considered weak and requires immediate attention, especially concerning the unpatched vulnerabilities and unprotected entry points.

Key Concerns

Unpatched CVEs
AJAX handlers without auth checks
REST API routes without permission callbacks
Flows with unsanitized paths
Missing nonce checks
Low capability check coverage

Vulnerabilities

Notification for Telegram Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

2 CVEs in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

3 total CVEs

CVE-2025-62993medium · 4.3Missing Authorization

Notification for Telegram <= 3.4.7 - Missing Authorization

Nov 29, 2025Unpatched

CVE-2025-58794medium · 4.3Cross-Site Request Forgery (CSRF)

Notification for Telegram <= 3.4.6 - Cross-Site Request Forgery

Sep 5, 2025Unpatched

CVE-2024-9685medium · 4.3Missing Authorization

Notification for Telegram <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Send Telegram Test Message

Oct 9, 2024 Patched in 3.3.2 (1d)

Code Analysis

Analyzed Mar 16, 2026

Notification for Telegram Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

29 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared2 total queries

Output Escaping

76% escaped38 total outputs

Data Flows

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

telegram_notify_create_admin_page_tabbed (include\nftb_optionpage.php:135)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

Notification for Telegram Attack Surface

Entry Points5

Unprotected3

AJAX Handlers 3

authwp_ajax_nftb_cron_actioninclude\nftncron.php:94

authwp_ajax_nftb_cron_action_setinclude\nftncron.php:122

authwp_ajax_nftb_test_actionindex.php:209

REST API Routes 1

POST/wp-json/surecart-webhook/v1/receiveinclude\nftb_surecart.php:250

Shortcodes 1

[telegram_mess] include\tnfunction.php:496

WordPress Hooks 42

actionwp_abilities_api_categories_initinclude\nftb_MCP.php:17

actionwp_abilities_api_initinclude\nftb_MCP.php:34

actionplugins_loadedinclude\nftb_MCP.php:102

actionmcp_adapter_initinclude\nftb_MCP.php:112

actionadmin_menuinclude\nftb_optionpage.php:107

actionadmin_initinclude\nftb_optionpage.php:108

actionsurecart/checkout_confirmedinclude\nftb_surecart.php:10

actionrest_api_initinclude\nftb_surecart.php:249

filtercron_schedulesinclude\nftncron.php:7

actioninitinclude\nftncron.php:48

actionnftb_cron_hookinclude\nftncron.php:90

actionwoocommerce_after_order_notesinclude\tnfunction.php:147

actionwoocommerce_checkout_update_order_metainclude\tnfunction.php:168

actionwoocommerce_admin_order_data_after_billing_addressinclude\tnfunction.php:181

actionadmin_noticesinclude\tnfunction.php:195

actionadmin_initinclude\tnfunction.php:282

actionmc4wp_form_subscribedinclude\tnfunction.php:332

actionmc4wp_form_unsubscribedinclude\tnfunction.php:350

actioncomment_postinclude\tnfunction.php:373

actioninitindex.php:31

actioninitindex.php:71

actionadmin_footerindex.php:76

actiontransition_post_statusindex.php:285

actionwpforms_process_completeindex.php:348

actionwpcf7_before_send_mailindex.php:375

actionwoocommerce_checkout_order_processedindex.php:462

actionwoocommerce_checkout_order_processedindex.php:469

actionwoocommerce_thankyouindex.php:473

actionwoocommerce_payment_completeindex.php:478

actionwoocommerce_low_stockindex.php:763

actionwoocommerce_order_status_changedindex.php:803

actionwoocommerce_add_to_cartindex.php:862

actionwoocommerce_cart_item_removedindex.php:896

filterauthenticateindex.php:940

actionuser_registerindex.php:1042

filterauthenticateindex.php:1102

actionwp_insert_commentindex.php:1207

action_core_updated_successfullyindex.php:1278

filterninja_forms_submit_dataindex.php:1287

actionelementor_pro/forms/new_recordindex.php:1336

actioninitindex.php:1369

filterwsal_event_data_before_logindex.php:1378

Scheduled Events 2

nftb_cron_hook

Maintenance & Trust

Notification for Telegram Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 27, 2026

PHP min version7.4

Downloads49K

Community Trust

Rating98/100

Number of ratings65

Active installs4K

Alternatives

Notification for Telegram Alternatives

MailPoet – Newsletters, Email Marketing, and Automation

mailpoet

Send beautiful newsletters from WordPress. Collect subscribers with signup forms, automate your emails for WooCommerce, blog post notifications & more

500K 3 CVEs

Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more

mail-mint

Use Mail Mint, the easiest email marketing automation plugin in WordPress to generate leads, send email campaigns, and run email automation workflows.

6K 8 CVEs

WC Multiple Email Recipients

wc-multiple-email-recipients

This plugin lets you add up to five additional email addresses to be used with WooCommerce notification mails.

4K No CVEs

YITH WooCommerce Waitlist

yith-woocommerce-waiting-list

This plugin enables registered users to request an email notification when an out-of-stock product comes back into stock.

3K 2 CVEs

Ultimate WP Mail

ultimate-wp-mail

Custom email and SMS notifications. Automatic send actions. WPForms SMS integration. WooCommerce notifications for purchases, abandoned cart and more!

800 1 unpatched

Developer Profile

Notification for Telegram Developer Profile

rainafarai

5 plugins · 4K total installs

trust score

Avg Security Score

88/100

Avg Patch Time

1 days

View full developer profile

Detection Fingerprints

How We Detect Notification for Telegram

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/notification-for-telegram/mystyle.css/wp-content/plugins/notification-for-telegram/nftb_minimal.css/wp-content/plugins/notification-for-telegram/myjs.js

Script Paths

/wp-content/plugins/notification-for-telegram/myjs.js

HTML / DOM Fingerprints

Data Attributes

id="saysomething"id="buttonTest"id="buttoncron"id="notify_update"id="buttoncronset"id="notify_update_time"

JS Globals

ajaxurlnftb_test_actionnftb_cron_actionnftb_cron_action_set

REST Endpoints

/wp-json/notification-for-telegram/v1/send-test-message/wp-json/notification-for-telegram/v1/schedule-cron

FAQ