EUVD-2026-21248CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
3Description
The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.9.0 due to insufficient input sanitization, insufficient output escaping, and missing capabilities checks in the 'webling_admin_save_form' and 'webling_admin_save_memberlist' functions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject Webling forms and memberlists with arbitrary web scripts that will execute whenever an administrator views the related form or memberlist area of the WordPress admin.
Analysis
Stored Cross-Site Scripting (XSS) in the Webling WordPress plugin versions up to 3.9.0 allows authenticated attackers with Subscriber-level access to inject malicious scripts into forms and memberlists that execute when administrators view the admin interface. The vulnerability stems from insufficient input sanitization and output escaping in the 'webling_admin_save_form' and 'webling_admin_save_memberlist' functions, combined with missing capability checks. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today