Does Telegram Bot & Channel have any unpatched vulnerabilities?

No. All known vulnerabilities in Telegram Bot & Channel have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Telegram Bot & Channel compatible with PHP 7.0+?

Telegram Bot & Channel requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Telegram Bot & Channel updated?

Telegram Bot & Channel was last updated on Nov 20, 2025. Frequent updates are generally a positive security signal.

What is Telegram Bot & Channel's security score?

Telegram Bot & Channel has a WP-Safety security score of 95/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Telegram Bot & Channel Security & Risk Analysis

wordpress.org/plugins/telegram-bot

Supercharge your WordPress site with Telegram! Broadcast posts, automate notifications, and build interactive bots for your users, groups, and channel …

600 active installs v4.1.1 PHP 7.0+ WP 4.6+ Updated Nov 20, 2025

botchannelgroupnewslettertelegram

A · Safe

CVEs total3

Unpatched0

Last CVENov 24, 2025

Plugin page Download

Safety Verdict

Is Telegram Bot & Channel Safe to Use in 2026?

Generally Safe

Score 95/100

Telegram Bot & Channel has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Nov 24, 2025Updated 4mo ago

Risk Assessment

The telegram-bot plugin v4.1.1 exhibits a mixed security posture. On the positive side, the static analysis reveals no exposed AJAX handlers, REST API routes, shortcodes, or cron events that lack authentication or permission checks, indicating a well-secured attack surface. The plugin also exclusively uses prepared statements for its single SQL query and has a reasonable number of nonces and capability checks. However, there are notable concerns. The output escaping is only 51% proper, which leaves a significant portion of outputs potentially vulnerable to cross-site scripting (XSS) attacks. While the taint analysis did not uncover any critical or high-severity issues, the file operations and external HTTP requests warrant attention in conjunction with the output escaping. The vulnerability history is a significant concern, with three known CVEs, including one high-severity vulnerability, although none are currently unpatched. The prevalence of Cross-Site Request Forgery (CSRF) and XSS in past vulnerabilities suggests recurring issues with input validation and output sanitization, despite some efforts in the code. Overall, while the attack surface is minimal, the historical vulnerability pattern and the low output escaping rate present a moderate risk that requires careful monitoring and potential remediation.

Key Concerns

Low output escaping percentage
History of high severity vulnerability
History of medium severity vulnerabilities
History of CSRF vulnerabilities
History of XSS vulnerabilities

Vulnerabilities

Telegram Bot & Channel Security Vulnerabilities

CVEs by Year

1 CVE in 2023

2023

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

3 total CVEs

CVE-2025-13068high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Telegram Bot & Channel <= 4.1 - Unauthenticated Stored Cross-Site Scripting via Telegram Username

Nov 24, 2025 Patched in 4.1.1 (1d)

CVE-2024-38789medium · 4.3Cross-Site Request Forgery (CSRF)

Telegram Bot & Channel <= 3.8.2 - Cross-Site Request Forgery

Jul 20, 2024 Patched in 4.0 (314d)

CVE-2023-34006medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Telegram Bot & Channel <= 3.6.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

May 29, 2023 Patched in 3.6.3 (239d)

Code Analysis

Analyzed Mar 16, 2026

Telegram Bot & Channel Code Analysis

Dangerous Functions

Raw SQL Queries

1 prepared

Unescaped Output

57 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared1 total queries

Output Escaping

51% escaped111 total outputs

Data Flows

All sanitized

Data Flow Analysis

2 flows

telegram_send_panel (panel\send.php:2)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Telegram Bot & Channel Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 30

actionadmin_noticesadmin-messages.php:2

filtermanage_edit-telegram_subscribers_columnscolumns.php:3

filtermanage_edit-telegram_groups_columnscolumns.php:15

filterbulk_actions-edit-telegram_subscriberscolumns.php:26

filterhandle_bulk_actions-edit-telegram_subscriberscolumns.php:31

actionmanage_telegram_subscribers_posts_custom_columncolumns.php:43

actionmanage_telegram_groups_posts_custom_columncolumns.php:44

actionadmin_initcolumns.php:72

filterposts_searchcolumns.php:76

actioninitcustom-post-types.php:2

actionadd_meta_boxescustom-post-types.php:140

actionsave_postcustom-post-types.php:201

actionfuture_postcustom-post-types.php:388

actionpublish_postcustom-post-types.php:389

actionpublish_future_postcustom-post-types.php:390

actionpost_submitbox_misc_actionscustom-post-types.php:392

actionenqueue_block_editor_assetscustom-post-types.php:457

actioninitcustom-post-types.php:483

actionplugins_loadedtelegram-bot.php:18

actionadmin_menutelegram-bot.php:36

actionadmin_inittelegram-bot.php:85

actioninittelegram-bot.php:115

actionpublish_pagetelegram-bot.php:116

actiontemplate_redirecttelegram-bot.php:164

filterquery_varstelegram-bot.php:183

filteruser_can_richedittelegram-bot.php:198

filterenter_title_heretelegram-bot.php:475

actionadmin_print_footer_scriptstelegram-bot.php:493

filterquicktags_settingstelegram-bot.php:506

actionwidgets_inittelegram-bot.php:554

Maintenance & Trust

Telegram Bot & Channel Maintenance & Trust

Maintenance Signals

WordPress version tested

Last updatedNov 20, 2025

PHP min version7.0

Downloads83K

Community Trust

Rating96/100

Number of ratings22

Active installs600

Alternatives

Telegram Bot & Channel Alternatives

WP Telegram (Auto Post and Notifications)

wptelegram

100

Integrate your WordPress site perfectly with Telegram with full control.

30K No CVEs

WP Telegram Widget and Join Link

wptelegram-widget

Display the Telegram Public Channel or Group Feed in a WordPress widget or anywhere you want using a simple shortcode.

4K 2 CVEs

Teligro

teligro

Integrate your WordPress site with Telegram

100 No CVEs

Channeller – Telegram Channel Administrator

channeller-telegram-channel-administrator

Send Text, Link, Photo, Video and Audio Files from Wordpress to Telegram Channels and Groups using bots.

40 No CVEs

Broadcast to Telegram

broadcast-to-telegram

Allows WordPress sites to send notifications to a Telegram channel. It's possible send notification to multiple channels.

10 No CVEs

Developer Profile

Telegram Bot & Channel Developer Profile

Marco Milesi

13 plugins · 13K total installs

trust score

Avg Security Score

97/100

Avg Patch Time

280 days

View full developer profile

Detection Fingerprints

How We Detect Telegram Bot & Channel

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/telegram-bot/panel/css/bootstrap.min.css/wp-content/plugins/telegram-bot/panel/css/telegram-bot.css/wp-content/plugins/telegram-bot/panel/js/telegram-bot.js

Version Parameters

/wp-content/plugins/telegram-bot/panel/css/bootstrap.min.css?ver=/wp-content/plugins/telegram-bot/panel/css/telegram-bot.css?ver=/wp-content/plugins/telegram-bot/panel/js/telegram-bot.js?ver=

HTML / DOM Fingerprints

CSS Classes

telegram-log-panel

Data Attributes

data-tb-token

FAQ