PatchSiren cyber security CVE debrief
CVE-2026-15298 pechenki CVE debrief
The TelSender plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting in all versions up to, and including, 1.14.14. This is due to insufficient input sanitization when processing Telegram API responses containing attacker-controlled chat titles. This makes it possible for unauthenticated attackers to inject malicious scripts via Telegram chat titles that execute when an administrator opens the TelSender settings page and clicks the 'Tested' button. The vulnerability affects WordPress installations using the TelSender plugin.
- Vendor
- pechenki
- Product
- TelSender – Сontact form 7, Events, Wpforms, ninja forms and woocommerce to telegram bot
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Administrators and users of the TelSender plugin for WordPress should be aware of this vulnerability and take immediate action to protect their installations. This includes reviewing and updating affected systems, implementing compensating controls, and monitoring for suspicious activity.
Technical summary
The TelSender plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting (XSS) due to insufficient input sanitization when processing Telegram API responses. An attacker can inject malicious scripts via Telegram chat titles, which execute when an administrator opens the TelSender settings page and clicks the 'Tested' button. The vulnerability affects all versions up to, and including, 1.14.14 of the TelSender plugin.
Defensive priority
High
Recommended defensive actions
- Update the TelSender plugin to the latest version
- Implement input validation and sanitization for Telegram API responses
- Restrict access to the TelSender settings page
- Monitor for suspicious activity and implement logging and auditing
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-10T05:16:33.117Z and was last modified on 2026-07-10T17:16:54.023Z. The NVD entry is currently Deferred. Evidence is limited to public CVE and NVD information. Defenders should verify vulnerability scope and impact with additional sources.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T05:16:33.117Z and has not been modified since then. The NVD entry is currently Deferred.