Stored Cross-Site Scripting Vulnerability in Webling Plugin for WordPress
CVE-2026-1263

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Webling
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-1263?

The Webling plugin for WordPress is susceptible to Stored Cross-Site Scripting vulnerability across all versions up to and including 3.9.0. This arises due to inadequate input validation, insufficient output escaping, and a lack of capability checks in the functions responsible for saving forms and member lists. Authenticated attackers with Subscriber-level permissions or higher can exploit this flaw to inject malicious scripts into Webling forms and member lists. These scripts will execute whenever an administrator accesses the affected areas in the WordPress admin panel, posing significant security risks to the integrity of the site.

Affected Version(s)

Webling 0 <= 3.9.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/webling/tags/3...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Jan 20, 2026

Credit

Kate Kligman

CVE-2026-1263 Data

JSON