Does Webling have any unpatched vulnerabilities?

Yes — Webling currently has 1 unpatched vulnerability. We recommend switching to an alternative or applying any available workarounds.

Is Webling compatible with WordPress 6.7.5?

According to WordPress.org data, Webling 3.9.1 has been tested up to WordPress 6.7.5. Check the plugin's changelog for the latest compatibility information.

Is Webling compatible with PHP 5.6+?

Webling requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Webling updated?

Webling was last updated on Mar 3, 2026. Frequent updates are generally a positive security signal.

What is Webling's security score?

Webling has a WP-Safety security score of 79/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Webling Security & Risk Analysis

wordpress.org/plugins/webling

Anmeldeformulare und Mitgliederdaten aus der Vereinssoftware webling.eu auf deiner Webseite anzeigen.

500 active installs v3.9.1 PHP 5.6+ WP 4.6+ Updated Mar 3, 2026

anmeldungmitgliedervereinvereinssoftwarewebling

B · Generally Safe

CVEs total1

Unpatched1

Last CVEApr 1, 2025

Plugin page Download

Safety Verdict

Is Webling Safe to Use in 2026?

Mostly Safe

Score 79/100

Webling is generally safe to use. 1 past CVE were resolved. Keep it updated.

1 known CVE 1 unpatched Last CVE: Apr 1, 2025Updated 1mo ago

Risk Assessment

The 'webling' plugin v3.9.1 presents a mixed security posture. While it demonstrates some good practices like a significant percentage of SQL queries using prepared statements and a decent number of nonce and capability checks, there are several concerning areas. The presence of the `unserialize` function is a significant risk, as it can lead to Remote Code Execution if misused with untrusted input. Furthermore, the static analysis reveals a REST API route exposed without permission callbacks, creating an unprotected entry point into the plugin's functionality. The taint analysis further amplifies these concerns, showing four flows with unsanitized paths, all categorized as high severity. This suggests potential vulnerabilities where user input might not be adequately validated or escaped, leading to data leakage or manipulation. The vulnerability history, while not indicating critical or high severity past issues, does show a medium severity Cross-site Scripting vulnerability from April 2025 that remains unpatched. This persistent vulnerability, coupled with the new high-severity taint flows and the unprotected REST API endpoint, indicates a need for immediate attention and remediation to strengthen the plugin's overall security.

Key Concerns

Unprotected REST API route
High severity unsanitized taint flows
Dangerous function 'unserialize' used
Unpatched medium severity CVE
Low percentage of properly escaped output

Vulnerabilities

Webling Security Vulnerabilities

CVEs by Year

1 CVE in 2025 · unpatched

2025

Patched Has unpatched

Severity Breakdown

Medium

1 total CVE

CVE-2025-31806medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Webling <= 3.9.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Apr 1, 2025Unpatched

Code Analysis

Analyzed Mar 16, 2026

Webling Code Analysis

Dangerous Functions

Raw SQL Queries

31 prepared

Unescaped Output

151

190 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserialize<?php echo self::groupselector(unserialize($data['groups'])) ?>src\admin\pages\memberlist_edit.php:100

unserialize$groupIds = unserialize($listconfig['groups']);src\helpers\WeblingMemberlistHelper.php:23

SQL Query Safety

62% prepared50 total queries

Output Escaping

56% escaped341 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

12 flows4 with unsanitized paths

webling_form_submit (src\actions\webling_form_submit.php:12)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

Webling Attack Surface

Entry Points3

Unprotected1

REST API Routes 1

GET/wp-json/webling/v1/memberimagesrc\actions\webling_rest_api.php:7

Shortcodes 2

[webling_memberlist] webling.php:57

[webling_form] webling.php:58

WordPress Hooks 13

filterpre_update_option_webling-optionssrc\admin\actions\init.php:10

actionadmin_initsrc\admin\admin.php:32

actionadmin_initsrc\admin\admin.php:33

actionadmin_post_save_memberlistsrc\admin\admin.php:37

actionadmin_post_save_formsrc\admin\admin.php:38

actionadmin_menusrc\admin\admin.php:42

actionadmin_enqueue_scriptssrc\admin\admin.php:48

actionupdate_option_webling-optionssrc\admin\admin.php:51

actionadmin_post_webling-clear-cachesrc\admin\admin.php:54

actionplugins_loadedwebling.php:47

actioninitwebling.php:61

actionwp_headwebling.php:64

actionrest_api_initwebling.php:67

Maintenance & Trust

Webling Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5

Last updatedMar 3, 2026

PHP min version5.6

Downloads12K

Community Trust

Rating100/100

Number of ratings3

Active installs500

Alternatives

Webling Alternatives

VereinOnline.org

vereinonline

100

Zeigt VereinOnline-Inhalte in WordPress an. http://www.vereinonline.org/

200 No CVEs

Dr. Flex

dr-flex

Das offizielle Dr. Flex® Wordpress Plugin zur einfachen Einbindung des Dr. Flex® Buchungstools auf Ihrer Website.

1K 1 CVE

easyVerein

easyverein

100

Das offizielle easyVerein Plugin für WordPress.

300 No CVEs

Vereinsantrag Formular

vereinsantrag-formular

100

Bindet Onlineformulare für Mitgliedsanträge, Änderungen und Kündigungen auf Vereinswebsites ein – responsiv und datenschutzkonform.

40 No CVEs

Microtango

microtango

Microtango WordPress integration. This plugin requires a Microtango subscription. It loads data from the Microtango REST API and renders it on your si …

30 1 CVE

Developer Profile

Webling Developer Profile

uSystems

1 plugin · 500 total installs

trust score

Avg Security Score

79/100

Avg Patch Time

30 days

View full developer profile

Detection Fingerprints

How We Detect Webling

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/webling/css/admin.css/wp-content/plugins/webling/js/admin.js/wp-content/plugins/webling/js/jquery-ui-1.12.1.custom/jquery-ui.min.css

Script Paths

/wp-content/plugins/webling/js/admin.js

Version Parameters

webling/css/admin.css?pluginver=webling/js/admin.js?pluginver=webling/js/jquery-ui-1.12.1.custom/jquery-ui.min.css?pluginver=

HTML / DOM Fingerprints

CSS Classes

webling-memberlistwebling-memberwebling-form-field

HTML Comments

+1 more

Data Attributes

data-webling-list-iddata-webling-member-iddata-webling-field-id

JS Globals

webling_admin_ajax_objectwebling_memberlist_data

REST Endpoints

/wp-json/webling/v1/memberimage

Shortcode Output

<div class="webling-memberlist"><form class="webling-form" method="post">

FAQ