[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fZHBMtQmUpzSHQGA4Oru93VAcF0nvmRRhouraD91YdwE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":33,"research_vulnerable_code":34,"research_fix_diff":35,"research_exploit_outline":36,"research_model_used":37,"research_started_at":38,"research_completed_at":39,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":40},"CVE-2026-23807","wp-telegram-widget-and-join-link-reflected-cross-site-scripting","WP Telegram Widget and Join Link \u003C= 2.2.13 - Reflected Cross-Site Scripting","The WP Telegram Widget and Join Link plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.2.13 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","wptelegram-widget",null,"\u003C=2.2.13","2.2.14","medium",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-03-23 00:00:00","2026-03-26 20:31:03",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F65f89b65-7231-469e-bd7d-cf6a1d962652?source=api-prod",4,[22,23,24,25,26,27,28],"CHANGELOG.md","assets\u002Fbuild\u002Fdependencies.json","languages\u002Fwptelegram-widget.pot","readme.txt","shared\u002Fembed\u002FAjaxWidget.php","vendor\u002Fcomposer\u002Finstalled.php","wptelegram-widget.php","researched",false,3,"input type=\"hidden\" name=\"' . $name . '\" value=\"' . $value . '\" \u002F>';\n        ```\n        If `Shared::$use_ugly_urls` is true, this is a *very* direct sink for `$username` (passed as `$value`).\n\n    *   `Shared::$use_ugly_urls` is a class property. Let's see if it's set anywhere.\n        In `includes\u002FMain.php` (not provided), it likely checks `get_option('permalink_structure')`.\n        If permalinks are default (\"Plain\"), `use_ugly_urls` is true.\n\n    *   To be safe, I will provide a payload that covers both cases:\n        1.  Reflection in `action=\"...\"`\n        2.  Reflection in `value=\"...\"`\n\n    *   Payload: `WPTelegram\" onfocus=\"alert(1)\" autofocus=\"true` (to trigger on the hidden input or form).\n    *   Or simpler: `WPTelegram\">\u003Cscript>alert(1)\u003C\u002Fscript>` to break out of the tag entirely.\n\n    *   The `username` parameter.\n    *   The endpoint is `\u002F?wptelegram=widget&module=widget&action=view&username=...` (inferred from `get_injected_form_fields` keys).\n    *   Wait, the `get_injected_form_fields` says:\n        ```php\n        'core'     => 'wptelegram',\n        'module'   => 'widget',\n","The WP Telegram Widget and Join Link plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `username` parameter in versions up to and including 2.2.13. This occurs because the parameter is reflected into hidden form fields and used in unescaped regular expressions, allowing unauthenticated attackers to execute arbitrary JavaScript in the context of a user's browser.","\u002F\u002F shared\u002Fembed\u002FAjaxWidget.php:140\n$pattern = '\u002F(?\u003C=href=\"\\\u002Fs\\\u002F' . $username . '\\?[^\" ]*?(?:before|after)=\\d+[^\" ]*?(?=\")\u002Fi';\n\n---\n\n\u002F\u002F shared\u002Fembed\u002FAjaxWidget.php:201\nforeach ( $fields as $name => $value ) {\n\n    $html .= '\u003Cinput type=\"hidden\" name=\"' . $name . '\" value=\"' . $value . '\" \u002F>';\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwptelegram-widget\u002F2.2.13\u002Fshared\u002Fembed\u002FAjaxWidget.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwptelegram-widget\u002F2.2.14\u002Fshared\u002Fembed\u002FAjaxWidget.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwptelegram-widget\u002F2.2.13\u002Fshared\u002Fembed\u002FAjaxWidget.php\t2024-01-26 15:04:50.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fwptelegram-widget\u002F2.2.14\u002Fshared\u002Fembed\u002FAjaxWidget.php\t2026-01-15 09:39:58.000000000 +0000\n@@ -37,7 +37,7 @@\n \n \t\t\t$url = sanitize_text_field( wp_unslash( $_GET['url'] ) );\n \n-\t\t\tif ( ! preg_match( '\u002F\\Ahttps:\\\u002F\\\u002Ft\\.me\\\u002Fs\\\u002F' . $username . '.*\u002Fi', $url ) ) {\n+\t\t\tif ( ! preg_match( '\u002F\\Ahttps:\\\u002F\\\u002Ft\\.me\\\u002Fs\\\u002F' . preg_quote( $username, '\u002F' ) . '.*\u002Fi', $url ) ) {\n \t\t\t\texit;\n \t\t\t}\n \n@@ -140,7 +140,7 @@\n \t *\u002F\n \tpublic static function replace_tg_links( $content, $username ) {\n \n-\t\t$pattern = '\u002F(?\u003C=href=\")\\\u002Fs\\\u002F' . $username . '\\?[^\" ]*?(?:before|after)=\\d+[^\" ]*?(?=\")\u002Fi';\n+\t\t$pattern = '\u002F(?\u003C=href=\")\\\u002Fs\\\u002F' . preg_quote( $username, '\u002F' ) . '\\?[^\" ]*?(?:before|after)=\\d+[^\" ]*?(?=\")\u002Fi';\n \n \t\t\u002F\u002F Replace the ajax links.\n \t\t$content = preg_replace_callback(\n@@ -170,7 +170,7 @@\n \t\t$content = preg_replace_callback(\n \t\t\t$pattern,\n \t\t\tfunction ( $matches ) use ( $username ) {\n-\t\t\t\treturn str_replace( $matches[1], \"https:\u002F\u002Ft.me\u002F{$username}\", $matches[0] );\n+\t\t\t\treturn str_replace( $matches[1], 'https:\u002F\u002Ft.me\u002F' . esc_attr( $username ), $matches[0] );\n \t\t\t},\n \t\t\t$content\n \t\t);\n@@ -201,7 +201,7 @@\n \n \t\t\tforeach ( $fields as $name => $value ) {\n \n-\t\t\t\t$html .= '\u003Cinput type=\"hidden\" name=\"' . $name . '\" value=\"' . $value . '\" \u002F>';\n+\t\t\t\t$html .= '\u003Cinput type=\"hidden\" name=\"' . esc_attr( $name ) . '\" value=\"' . esc_attr( $value ) . '\" \u002F>';\n \t\t\t}\n \t\t}","To exploit this vulnerability, an attacker identifies the AJAX widget endpoint, typically accessed via the query parameters `\u002F?wptelegram=widget&module=widget&action=view`. The attacker then crafts a malicious link targeting the `username` parameter. If the site is configured with 'Plain' permalinks (which enables the `use_ugly_urls` flag), the plugin reflects the `username` directly into the `value` attribute of a hidden `\u003Cinput>` field without escaping. A payload like `WPTelegram\">\u003Cscript>alert(document.domain)\u003C\u002Fscript>` will break out of the HTML attribute and execute the script when the victim clicks the link.","gemini-3-flash-preview","2026-04-17 23:43:57","2026-04-17 23:44:44",{"type":41,"vulnerable_version":42,"fixed_version":11,"vulnerable_browse":43,"vulnerable_zip":44,"fixed_browse":45,"fixed_zip":46,"all_tags":47},"plugin","2.2.13","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwptelegram-widget\u002Ftags\u002F2.2.13","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwptelegram-widget.2.2.13.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwptelegram-widget\u002Ftags\u002F2.2.14","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwptelegram-widget.2.2.14.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwptelegram-widget\u002Ftags"]