How is CVE-2026-40732 exploited?

Network reachability (required): The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS. Authentication (not-required): No account or session credential is needed; the attacker can interact with the vulnerable component as an anonymous user. Victim interaction (required): A victim must take an action, such as clicking a crafted link or loading a page containing the injected payload, for the script to execute in their browser. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other variable environmental factors.

What is the impact of CVE-2026-40732?

Reads browser-accessible session tokens or authentication cookies belonging to the victim, which can be used to hijack their WordPress session. Injects arbitrary content or redirects into the page as rendered in the victim's browser, enabling phishing or defacement within the site context. Performs actions on the WordPress site on behalf of the victim, using their privilege level, such as changing settings or posting content. Disrupts the victim's page experience by modifying or removing rendered content, causing partial denial of service at the browser level.

Back to search

HIGHCVE-2026-40732Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-40732: WordPress Notification for Telegram plugin <= 3.5 - Cross Site Scripting (XSS) vulnerability

Q: What is CVE-2026-40732?

This is a stored or reflected cross-site scripting (XSS) vulnerability in the Notification for Telegram WordPress plugin, versions 3.5 and earlier. The flaw is reachable over the network without any authentication, but requires a victim to interact with malicious content, such as clicking a crafted link or visiting a page containing injected script. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, potentially reading session data, injecting content, or disrupting the page. No fix version has been published yet; HarborGuard tracks the advisory and will flag a patched-image rebuild as soon as upstream ships a fix.

Q: Is CVE-2026-40732 patched?

Because no fix version has been published upstream, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released by the maintainer. In the meantime, customers can apply compensating controls such as network-policy isolation for the affected workload or WAF rules to filter reflected script payloads.

Unauthenticated Cross Site Scripting (XSS) in Notification for Telegram <= 3.5 versions.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a stored or reflected cross-site scripting (XSS) vulnerability in the Notification for Telegram WordPress plugin, versions 3.5 and earlier. The flaw is reachable over the network without any authentication, but requires a victim to interact with malicious content, such as clicking a crafted link or visiting a page containing injected script. Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser, potentially reading session data, injecting content, or disrupting the page. No fix version has been published yet; HarborGuard tracks the advisory and will flag a patched-image rebuild as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-40732 is available across every HarborGuard environment: the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images, including custom-built WordPress images that bundle this plugin. Any image carrying the Notification for Telegram plugin at version 3.5 or below is flagged automatically.

Available

Triage

Triage is available at CVSS 7.1 (High, CVSS v3.1), and HarborGuard applies per-environment compliance policy weighting on top of that base score to prioritize the finding appropriately. Routed alerts reach the team or inbox configured in each customer organization's policy, so the right people see the finding without manual filtering.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released by the maintainer. In the meantime, customers can apply compensating controls such as network-policy isolation for the affected workload or WAF rules to filter reflected script payloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable plugin endpoint is exposed over the network, so an attacker must be able to reach the WordPress installation via HTTP or HTTPS.
AuthenticationNot required
No account or session credential is needed; the attacker can interact with the vulnerable component as an anonymous user.
Victim interactionRequired
A victim must take an action, such as clicking a crafted link or loading a page containing the injected payload, for the script to execute in their browser.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layout, or other variable environmental factors.

Blast Radius

Reads browser-accessible session tokens or authentication cookies belonging to the victim, which can be used to hijack their WordPress session.
Injects arbitrary content or redirects into the page as rendered in the victim's browser, enabling phishing or defacement within the site context.
Performs actions on the WordPress site on behalf of the victim, using their privilege level, such as changing settings or posting content.
Disrupts the victim's page experience by modifying or removing rendered content, causing partial denial of service at the browser level.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active and any image containing the Notification for Telegram plugin at version 3.5 or below is surfaced automatically, including custom-built WordPress images. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available and trigger the auto-remediation flow (rebuild, regression run, and PR against affected workloads) the moment a fix version is published, for customers with auto-remediation enabled. While no patch is available, compensating controls worth considering include placing a web application firewall (WAF) rule to filter reflected script patterns on WordPress plugin endpoints, isolating the affected workload with a network policy that restricts inbound access to trusted sources, and reviewing whether the plugin's notification features can be disabled via a feature flag or plugin toggle until a patch ships.

See how HarborGuard automates this

Affected packages

rainafarai / Notification for Telegram
≤ 3.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

patchstack.com

Metrics

Get notified