Webling <= 3.9.0 – Authenticated (Administrator+) Stored Cross-Site Scripting | CVE 2025-31806 | Plugin Vulnerabilities

Description

The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.9.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only impacts multi-site installations and installations where unfiltered_html has been disabled.

Affects Plugins

No known fix

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/d4b4b5a0-b121-4ed2-b3ae-506f2950c7cf

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Nabil Irawan

Verified

No

WPVDB ID

add877f9-9f86-4028-bb17-5e958ec18550

Timeline

Publicly Published

2025-04-01 (about 11 months ago)

Added

2025-04-09 (about 10 months ago)

Last Updated

2025-04-09 (about 10 months ago)

Other

Published

Title

Published

2026-01-23

Title

Meta-box GalleryMeta < 3.1 - Authenticated (Editor+) Stored Cross-Site Scripting via Image Caption

Published

2024-09-24

Title

Contact Form to Any API < 1.2.5 - Unauthenticated Stored Cross-Site Scripting via Contact Form

Published

2021-07-26

Title

GiveWP < 2.12.0 - Admin+ Stored XSS

Published

2025-03-26

Title

TablePress < 3.1 - Author+ Stored XSS

Published

2026-01-16

Title

Dooodl <= 2.3.0 - Reflected Cross-Site Scripting