The Webling plugin for WordPress suffers from a stored cross-site scripting vulnerability (CWE-79) due to inadequate input validation and output escaping in the 'webling_admin_save_form' and 'webling_admin_save_memberlist' functions. This allows authenticated users with at least Subscriber privileges to inject arbitrary web scripts into forms and memberlists. These scripts execute in the context of administrators who view these areas, potentially leading to session hijacking or other script-based attacks. The vulnerability affects all versions up to and including 3.9.0. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and partial impact on confidentiality and integrity. No patch or official remediation has been published by the vendor as of the provided data.

An attacker with Subscriber-level access or higher can inject persistent malicious scripts into Webling forms and memberlists. These scripts execute in the administrator's browser when viewing the affected admin pages, potentially allowing the attacker to compromise administrator sessions or perform unauthorized actions within the WordPress admin interface. The impact is limited to confidentiality and integrity with no direct availability impact. There are no known exploits in the wild currently.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, administrators should restrict Subscriber-level access carefully and consider monitoring or limiting access to the affected Webling plugin features. Applying general WordPress security best practices may help reduce risk but will not fully mitigate this vulnerability.