A high-severity vulnerability has been identified in the Telegram Bot & Channel plugin for WordPress, allowing for a Stored Cross-Site Scripting (XSS) attack. An attacker can inject malicious code into the website by crafting a special Telegram username, which then executes in the browser of site administrators or users. This could lead to the theft of sensitive session information, account takeover, or the complete compromise of the affected WordPress website.

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw. An attacker can inject a malicious script into the Telegram username field associated with the plugin. Because the application fails to properly sanitize this input, the malicious script is stored in the website's database. When an administrator or other privileged user views the page displaying this username, the stored script executes within their browser, granting the attacker the same level of permission as the victim, potentially leading to session hijacking and full administrative control over the site.

This vulnerability presents a high risk to the organization, reflected by its High severity rating with a CVSS score of 7.2. Successful exploitation could lead to the compromise of administrator accounts, allowing an attacker to deface the website, steal sensitive user data, install backdoors, or use the website to distribute malware to visitors. Such an incident can result in significant reputational damage, loss of customer trust, and potential regulatory fines depending on the data compromised.

Immediate Action: Immediately update the "Telegram Bot & Channel" plugin to the latest version available (a version greater than 4) to patch the vulnerability. If the plugin is not critical to business operations, consider deactivating and removing it entirely to eliminate the attack surface.

Proactive Monitoring: Monitor web server and application logs for suspicious POST requests containing HTML or JavaScript syntax (e.g., <script>, onerror, onload) in fields related to the Telegram plugin. Implement a Web Application Firewall (WAF) to detect and block XSS attack patterns. Regularly audit for unauthorized changes to website files or the creation of new administrative accounts.

Compensating Controls: If immediate patching is not feasible, implement a WAF with strict XSS filtering rules to block malicious input. Enforce a strong Content Security Policy (CSP) on the website to prevent the execution of unauthorized inline scripts, which can mitigate the impact of a successful injection.

Public Exploit Available: false

Given the high severity of this vulnerability (CVSS 7.2) and the potential for complete website compromise, it is strongly recommended that organizations take immediate action. The primary course of action is to update the affected "Telegram Bot & Channel" plugin to the latest patched version without delay. Although not currently listed in the CISA KEV catalog, the straightforward nature of Stored XSS attacks makes this an attractive target for attackers, and proactive remediation is critical to prevent future compromise.