CVE-2025-5236 – NinjaTeam Chat for Telegram WordPress Stored Cross-Site Scripting

May 30, 2025

CVE ID : CVE-2025-5236

Published : May 30, 2025, 8:15 a.m. | 1 hour, 21 minutes ago

Description : The NinjaTeam Chat for Telegram plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘username’ parameter in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

Previous ArticleCVE-2025-48334 – BinaryCarpenter Woo Slider Pro Missing Authorization Vulnerability

Next Article CVE-2025-4431 – Unsplash WordPress Plugin Missing Capability Check Allows Unauthorized Data Modification

Highlights

CVE-2025-46815 – ZITADEL IdP Intent Session Token Abuse

May 6, 2025

CVE ID : CVE-2025-46815

Published : May 6, 2025, 6:15 p.m. | 1 hour, 19 minutes ago

Description : The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It’s important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available.

Severity: 8.0 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

The Case For Minimal WordPress Setups: A Contrarian View On Theme Frameworks

How To Fix Largest Contentful Paint Issues With Subpart Analysis

How To Prevent WordPress SQL Injection Attacks

Smashing Animations Part 4: Optimising SVGs

I test AI tools for a living. Here are 3 image generators I actually use and how

The world’s smallest 65W USB-C charger is my latest travel essential

This Spotlight alternative for Mac is my secret weapon for AI-powered search

Tech prophet Mary Meeker just dropped a massive report on AI trends – here’s your TL;DR

Beyond AEM: How Adobe Sensei Powers the Full Enterprise Experience

Beyond AEM: How Adobe Sensei Powers the Full Enterprise Experience

Simplify Negative Relation Queries with Laravel’s whereDoesntHaveRelation Methods

Cast Model Properties to a Uri Instance in 12.17

My Favorite Obsidian Plugins and Their Hidden Settings

My Favorite Obsidian Plugins and Their Hidden Settings

Rilasciata /e/OS 3.0: Nuova Vita per Android Senza Google, Più Privacy e Controllo per l’Utente

Rilasciata Oracle Linux 9.6: Scopri le Novità e i Miglioramenti nella Sicurezza e nelle Prestazioni

CVE-2025-5236 – NinjaTeam Chat for Telegram WordPress Stored Cross-Site Scripting

HPE StoreOnce Faces Critical CVE-2025-37093 Vulnerability — Urges Immediate Patch Upgrade

CISA Adds Qualcomm Vulnerabilities to KEV Catalog

Hugging Face Introduces a Free Model Context Protocol (MCP) Course: A Developer’s Guide to Build and Deploy Context-Aware AI Agents and Applications

How to Build a Website from Scratch – Start to Finish Walkthrough

Microsoft emergency update fixes a Windows 11 bug removing Copilot app

How to use Apple Maps on the web (and 3 reasons why you should)

CVE-2025-46815 – ZITADEL IdP Intent Session Token Abuse

Transition a pivot query that includes dynamic columns from SQL Server to PostgreSQL

Windows 11’s “Handoff” clone is official, and it works with iOS or Android

Reimagining the Semantic Web

CVE-2025-5236 – NinjaTeam Chat for Telegram WordPress Stored Cross-Site Scripting

Related Posts