Does Notification for Telegram have any unpatched vulnerabilities?

No published vulnerabilities and no findings under coordinated disclosure as of the latest data update. Always keep the plugin updated to the latest version.

Is Notification for Telegram compatible with WordPress 6.9.4?

According to WordPress.org data, Notification for Telegram 3.5.1 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Notification for Telegram compatible with PHP 7.4+?

Notification for Telegram requires PHP 7.4 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Notification for Telegram updated?

Notification for Telegram was last updated on Apr 14, 2026. Frequent updates are generally a positive security signal.

What is Notification for Telegram's security score?

Notification for Telegram has a WP-Safety security score of 93/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Notification for Telegram Security & Risk Analysis

wordpress.org/plugins/notification-for-telegram

Sends notifications to Telegram users or groups, when some events occur in WordPress.

4K active installs v3.5.1 PHP 7.4+ WP 4.0+ Updated Apr 14, 2026

aimcpnotificationtelegramwoocommerce

A · Safe

CVEs total4

Unpatched0

Last CVEApr 20, 2026

Plugin page Download

Safety Verdict

Is Notification for Telegram Safe to Use in 2026?

Generally Safe

Score 93/100

Notification for Telegram has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

4 known CVEsLast CVE: Apr 20, 2026Updated 1mo ago

Risk Assessment

The "notification-for-telegram" plugin v3.5 exhibits a mixed security posture. While it demonstrates good practices like using prepared statements for all SQL queries and a relatively high percentage of properly escaped output, significant concerns arise from its attack surface and vulnerability history. The presence of three AJAX handlers and one REST API route without adequate authorization checks presents a substantial risk of unauthorized actions. The taint analysis, though limited in scope, revealed flows with unsanitized paths, indicating potential for further exploitation if these entry points are not secured.

The plugin's vulnerability history is particularly troubling, with three known medium-severity CVEs, two of which remain unpatched. The prevalence of Missing Authorization and Cross-Site Request Forgery (CSRF) vulnerabilities in its past suggests a recurring weakness in how user input and actions are handled and secured. The most recent vulnerability was discovered in late 2025, indicating that ongoing security issues are not being addressed promptly.

In conclusion, the "notification-for-telegram" plugin has several strengths in its code, particularly regarding database interactions and output sanitization. However, these are overshadowed by critical weaknesses in authorization controls for its entry points and a concerning pattern of past vulnerabilities that are not being fully remediated. The plugin's overall security posture is therefore considered weak and requires immediate attention, especially concerning the unpatched vulnerabilities and unprotected entry points.

Key Concerns

Unpatched CVEs
AJAX handlers without auth checks
REST API routes without permission callbacks
Flows with unsanitized paths
Missing nonce checks
Low capability check coverage

Vulnerabilities

4 published

Notification for Telegram Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

2 CVEs in 2025

2025

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

High

Medium

4 total CVEs

CVE-2026-40732high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Notification for Telegram <= 3.5 - Unauthenticated Stored Cross-Site Scripting

Apr 20, 2026 Patched in 3.5.1 (11d)

CVE-2025-62993medium · 4.3Missing Authorization

Notification for Telegram <= 3.5.1 - Missing Authorization

Nov 29, 2025 Patched in 3.5.2 (164d)

CVE-2025-58794medium · 4.3Cross-Site Request Forgery (CSRF)

Notification for Telegram <= 3.5.1 - Cross-Site Request Forgery

Sep 5, 2025 Patched in 3.5.2 (249d)

CVE-2024-9685medium · 4.3Missing Authorization

Notification for Telegram <= 3.3.1 - Missing Authorization to Authenticated (Subscriber+) Send Telegram Test Message

Oct 9, 2024 Patched in 3.3.2 (1d)

Version History

Notification for Telegram Release Timeline

v3.5.1Current2 CVEs

CVE-2025-62993 CVE-2025-58794

v3.53 CVEs

CVE-2025-62993 CVE-2025-58794 CVE-2026-40732

v3.4.73 CVEs

CVE-2025-62993 CVE-2025-58794 CVE-2026-40732

v3.4.63 CVEs

CVE-2025-62993 CVE-2025-58794 CVE-2026-40732

v3.4.53 CVEs

CVE-2025-62993 CVE-2025-58794 CVE-2026-40732

v3.4.43 CVEs

CVE-2025-62993 CVE-2025-58794 CVE-2026-40732

v3.4.33 CVEs

CVE-2025-62993 CVE-2025-58794 CVE-2026-40732

v3.4.23 CVEs

CVE-2025-62993 CVE-2025-58794 CVE-2026-40732

v3.4.13 CVEs

CVE-2025-62993 CVE-2025-58794 CVE-2026-40732

v3.43 CVEs

CVE-2025-62993 CVE-2025-58794 CVE-2026-40732

v3.3.73 CVEs

CVE-2025-62993 CVE-2025-58794 CVE-2026-40732

v3.3.63 CVEs

CVE-2025-62993 CVE-2025-58794 CVE-2026-40732

v3.3.33 CVEs

CVE-2025-62993 CVE-2025-58794 CVE-2026-40732

v3.3.23 CVEs

CVE-2025-62993 CVE-2025-58794 CVE-2026-40732

v3.34 CVEs

CVE-2025-62993 CVE-2024-9685 CVE-2025-58794 +1 more

v2.94 CVEs

CVE-2025-62993 CVE-2024-9685 CVE-2025-58794 +1 more

v2.84 CVEs

CVE-2025-62993 CVE-2024-9685 CVE-2025-58794 +1 more

v2.74 CVEs

CVE-2025-62993 CVE-2024-9685 CVE-2025-58794 +1 more

Code Analysis

Analyzed Mar 16, 2026

Notification for Telegram Code Analysis

Dangerous Functions

Raw SQL Queries

2 prepared

Unescaped Output

29 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared2 total queries

Output Escaping

76% escaped38 total outputs

Data Flows · Security

2 unsanitized

Data Flow Analysis

2 flows2 with unsanitized paths

telegram_notify_create_admin_page_tabbed (include\nftb_optionpage.php:135)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

3 unprotected

Notification for Telegram Attack Surface

Entry Points5

Unprotected3

AJAX Handlers 3

authwp_ajax_nftb_cron_actioninclude\nftncron.php:94

authwp_ajax_nftb_cron_action_setinclude\nftncron.php:122

authwp_ajax_nftb_test_actionindex.php:209

REST API Routes 1

POST/wp-json/surecart-webhook/v1/receiveinclude\nftb_surecart.php:250

Shortcodes 1

[telegram_mess] include\tnfunction.php:496

WordPress Hooks 42

actionwp_abilities_api_categories_initinclude\nftb_MCP.php:17

actionwp_abilities_api_initinclude\nftb_MCP.php:34

actionplugins_loadedinclude\nftb_MCP.php:102

actionmcp_adapter_initinclude\nftb_MCP.php:112

actionadmin_menuinclude\nftb_optionpage.php:107

actionadmin_initinclude\nftb_optionpage.php:108

actionsurecart/checkout_confirmedinclude\nftb_surecart.php:10

actionrest_api_initinclude\nftb_surecart.php:249

filtercron_schedulesinclude\nftncron.php:7

actioninitinclude\nftncron.php:48

actionnftb_cron_hookinclude\nftncron.php:90

actionwoocommerce_after_order_notesinclude\tnfunction.php:147

actionwoocommerce_checkout_update_order_metainclude\tnfunction.php:168

actionwoocommerce_admin_order_data_after_billing_addressinclude\tnfunction.php:181

actionadmin_noticesinclude\tnfunction.php:195

actionadmin_initinclude\tnfunction.php:282

actionmc4wp_form_subscribedinclude\tnfunction.php:332

actionmc4wp_form_unsubscribedinclude\tnfunction.php:350

actioncomment_postinclude\tnfunction.php:373

actioninitindex.php:31

actioninitindex.php:71

actionadmin_footerindex.php:76

actiontransition_post_statusindex.php:285

actionwpforms_process_completeindex.php:348

actionwpcf7_before_send_mailindex.php:375

actionwoocommerce_checkout_order_processedindex.php:462

actionwoocommerce_checkout_order_processedindex.php:469

actionwoocommerce_thankyouindex.php:473

actionwoocommerce_payment_completeindex.php:478

actionwoocommerce_low_stockindex.php:763

actionwoocommerce_order_status_changedindex.php:803

actionwoocommerce_add_to_cartindex.php:862

actionwoocommerce_cart_item_removedindex.php:896

filterauthenticateindex.php:940

actionuser_registerindex.php:1042

filterauthenticateindex.php:1102

actionwp_insert_commentindex.php:1207

action_core_updated_successfullyindex.php:1278

filterninja_forms_submit_dataindex.php:1287

actionelementor_pro/forms/new_recordindex.php:1336

actioninitindex.php:1369

filterwsal_event_data_before_logindex.php:1378

Scheduled Events 2

nftb_cron_hook

Maintenance & Trust

Notification for Telegram Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedApr 14, 2026

PHP min version7.4

Downloads50K

Community Trust

Rating98/100

Number of ratings65

Active installs4K

Alternatives

Notification for Telegram Alternatives

MailPoet – Newsletters, Email Marketing, and Automation

mailpoet

Send beautiful newsletters from WordPress. Collect subscribers with signup forms, automate your emails for WooCommerce, blog post notifications & more

500K 3 CVEs

WC Multiple Email Recipients

wc-multiple-email-recipients

This plugin lets you add up to five additional email addresses to be used with WooCommerce notification mails.

4K No CVEs

YITH WooCommerce Waitlist

yith-woocommerce-waiting-list

This plugin enables registered users to request an email notification when an out-of-stock product comes back into stock.

3K 2 CVEs

StifLi Flex MCP – AI Copilot, Chat Agent and MCP Server

stifli-flex-mcp

100

AI Copilot for the WordPress editor, AI Chat Agent for full site management & MCP server for external AI clients. OpenAI, Claude & Gemini.

900 No CVEs

Ultimate WP Mail

ultimate-wp-mail

Custom email and SMS notifications. Automatic send actions. WPForms SMS integration. WooCommerce notifications for purchases, abandoned cart and more!

800 1 unpatched

Developer Profile

Notification for Telegram Developer Profile

rainafarai

5 plugins · 4K total installs

trust score

Avg Security Score

93/100

Avg Patch Time

106 days

View full developer profile

Detection Fingerprints

How We Detect Notification for Telegram

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/notification-for-telegram/mystyle.css/wp-content/plugins/notification-for-telegram/nftb_minimal.css/wp-content/plugins/notification-for-telegram/myjs.js

Script Paths

/wp-content/plugins/notification-for-telegram/myjs.js

HTML / DOM Fingerprints

Data Attributes

id="saysomething"id="buttonTest"id="buttoncron"id="notify_update"id="buttoncronset"id="notify_update_time"

JS Globals

ajaxurlnftb_test_actionnftb_cron_actionnftb_cron_action_set

REST Endpoints

/wp-json/notification-for-telegram/v1/send-test-message/wp-json/notification-for-telegram/v1/schedule-cron

FAQ

Notification for Telegram Security & Risk Analysis

Is Notification for Telegram Safe to Use in 2026?

Generally Safe

Key Concerns

Notification for Telegram Security Vulnerabilities

CVEs by Year

Severity Breakdown

Notification for Telegram Release Timeline

Notification for Telegram Code Analysis

SQL Query Safety

Output Escaping

Data Flow Analysis

Notification for Telegram Attack Surface

AJAX Handlers 3

REST API Routes 1

Shortcodes 1

Scheduled Events 2

Notification for Telegram Maintenance & Trust

Maintenance Signals

Community Trust

Notification for Telegram Alternatives

MailPoet – Newsletters, Email Marketing, and Automation

WC Multiple Email Recipients

YITH WooCommerce Waitlist

StifLi Flex MCP – AI Copilot, Chat Agent and MCP Server

Ultimate WP Mail

Notification for Telegram Developer Profile

How We Detect Notification for Telegram

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about Notification for Telegram