Webling Plugin for WordPress: Malicious Code Injection Risk

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.4

Webling Plugin for WordPress: Malicious Code Injection Risk

CVE-2026-1263

Summary

The Webling plugin for WordPress has a security flaw that allows hackers to inject malicious code into certain areas of the admin dashboard, potentially allowing them to take control of the site. This could happen if an attacker with Subscriber-level access or higher makes a specific request. To protect your site, you should update the Webling plugin to the latest version or consider replacing it with a different plugin.

Original title

Original description

The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.9.0 due to insufficient input sanitization, insufficient output escaping, and missing capabilities checks in the 'webling_admin_save_form' and 'webling_admin_save_memberlist' functions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject Webling forms and memberlists with arbitrary web scripts that will execute whenever an administrator views the related form or memberlist area of the WordPress admin.

nvd CVSS3.1 6.4

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

Published: 10 Apr 2026 · Updated: 10 Apr 2026 · First seen: 10 Apr 2026