Description
The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.9.0 due to insufficient input sanitization, insufficient output escaping, and missing capabilities checks in the 'webling_admin_save_form' and 'webling_admin_save_memberlist' functions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject Webling forms and memberlists with arbitrary web scripts that will execute whenever an administrator views the related form or memberlist area of the WordPress admin.
Published: 2026-04-10
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that executes in the administrator context by authenticated users
Action: Immediate Patch
AI Analysis

Impact

The vulnerability allows a subscriber‑level or higher account to submit JavaScript through the "title" field of Webling forms or member lists. The injected code is stored and later rendered when an administrator views the affected form or list, resulting in client‑side script execution that runs with the administrator’s privileges. Such execution can lead to theft of admin session cookies, defacement, or further exploitation of the site.

Affected Systems

WordPress sites that have the Webling plugin from usystemsgmbh installed in any version up to and including 3.9.0 are affected. No newer versions are listed as vulnerable, so sites using 3.9.1 or later are not impacted.

Risk and Exploitability

The CVSS score is 6.4, indicating moderate severity. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires an authenticated user with Subscriber or higher privileges who can edit a form or member list via the plugin’s admin interface; no special network or local access is required beyond standard web interaction with the WordPress admin area.

Generated by OpenCVE AI on April 10, 2026 at 02:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Webling plugin to version 3.9.1 or later as released by the vendor
  • Verify that all user accounts with Subscriber or higher roles have not been compromised; consider temporarily deactivating suspicious accounts
  • Review all existing forms and member lists for injected scripts and remove any suspicious code
  • Apply the highest available WordPress user capabilities checks to prevent unauthorized editing of plugin data

Generated by OpenCVE AI on April 10, 2026 at 02:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Usystemsgmbh
Usystemsgmbh webling
Wordpress
Wordpress wordpress
Vendors & Products Usystemsgmbh
Usystemsgmbh webling
Wordpress
Wordpress wordpress

Fri, 10 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.9.0 due to insufficient input sanitization, insufficient output escaping, and missing capabilities checks in the 'webling_admin_save_form' and 'webling_admin_save_memberlist' functions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject Webling forms and memberlists with arbitrary web scripts that will execute whenever an administrator views the related form or memberlist area of the WordPress admin.
Title Webling <= 3.9.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'title' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Usystemsgmbh Webling
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-10T15:54:58.703Z

Reserved: 2026-01-20T21:18:05.973Z

Link: CVE-2026-1263

cve-icon Vulnrichment

Updated: 2026-04-10T15:51:53.295Z

cve-icon NVD

Status : Received

Published: 2026-04-10T02:16:02.083

Modified: 2026-04-10T02:16:02.083

Link: CVE-2026-1263

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:27:10Z

Weaknesses