CVE-2026-7620
Gravedad CVSS v3.1:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
11/07/2026
Última modificación:
11/07/2026
Descripción
*** Pendiente de traducción *** The Notification for Telegram plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.5.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to create, modify, or reschedule the nftb_cron_hook WordPress cron event, enabling unauthorized manipulation of the plugin's background task scheduling logic.
Impacto
Puntuación base 3.x
4.30
Gravedad 3.x
MEDIA
Referencias a soluciones, herramientas e información
- https://plugins.trac.wordpress.org/browser/notification-for-telegram/tags/3.5.1/include/nftncron.php#L122
- https://plugins.trac.wordpress.org/browser/notification-for-telegram/tags/3.5.1/include/nftncron.php#L126
- https://plugins.trac.wordpress.org/browser/notification-for-telegram/tags/3.5.1/include/nftncron.php#L94
- https://plugins.trac.wordpress.org/browser/notification-for-telegram/tags/3.5/include/nftncron.php#L122
- https://plugins.trac.wordpress.org/browser/notification-for-telegram/tags/3.5/include/nftncron.php#L126
- https://plugins.trac.wordpress.org/browser/notification-for-telegram/tags/3.5/include/nftncron.php#L94
- https://plugins.trac.wordpress.org/browser/notification-for-telegram/trunk/include/nftncron.php#L122
- https://plugins.trac.wordpress.org/browser/notification-for-telegram/trunk/include/nftncron.php#L126
- https://plugins.trac.wordpress.org/browser/notification-for-telegram/trunk/include/nftncron.php#L94
- https://plugins.trac.wordpress.org/changeset?reponame=&old=3524838%40notification-for-telegram&new=3524838%40notification-for-telegram
- https://www.wordfence.com/threat-intel/vulnerabilities/id/01055be6-42ae-405f-9c8b-7acf5297867e?source=cve



