WP-Safety

Webling Security & Risk Analysis

wordpress.org/plugins/webling

Anmeldeformulare und Mitgliederdaten aus der Vereinssoftware webling.eu auf deiner Webseite anzeigen.

500 active installs v3.9.1 PHP 5.6+ WP 4.6+ Updated Mar 3, 2026
anmeldungmitgliedervereinvereinssoftwarewebling
98
A · Safe
CVEs total2
Unpatched0
Last CVEApr 9, 2026
Plugin page Download
Safety Verdict

Is Webling Safe to Use in 2026?

Generally Safe

Score 98/100

Webling has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

2 known CVEsLast CVE: Apr 9, 2026Updated 2mo ago
Risk Assessment

The 'webling' plugin v3.9.1 presents a mixed security posture. While it demonstrates some good practices like a significant percentage of SQL queries using prepared statements and a decent number of nonce and capability checks, there are several concerning areas. The presence of the `unserialize` function is a significant risk, as it can lead to Remote Code Execution if misused with untrusted input. Furthermore, the static analysis reveals a REST API route exposed without permission callbacks, creating an unprotected entry point into the plugin's functionality. The taint analysis further amplifies these concerns, showing four flows with unsanitized paths, all categorized as high severity. This suggests potential vulnerabilities where user input might not be adequately validated or escaped, leading to data leakage or manipulation. The vulnerability history, while not indicating critical or high severity past issues, does show a medium severity Cross-site Scripting vulnerability from April 2025 that remains unpatched. This persistent vulnerability, coupled with the new high-severity taint flows and the unprotected REST API endpoint, indicates a need for immediate attention and remediation to strengthen the plugin's overall security.

Key Concerns

  • Unprotected REST API route
  • High severity unsanitized taint flows
  • Dangerous function 'unserialize' used
  • Unpatched medium severity CVE
  • Low percentage of properly escaped output
Vulnerabilities
2 published

Webling Security Vulnerabilities

CVEs by Year

1 CVE in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2026-1263medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Webling <= 3.9.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'title' Parameter

Apr 9, 2026 Patched in 3.9.1 (1d)
CVE-2025-31806medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Webling <= 3.9.0 - Authenticated (Administrator+) Stored Cross-Site Scripting

Apr 1, 2025 Patched in 3.9.1 (351d)
Version History

Webling Release Timeline

v3.9.1Current
v3.9.02 CVEs
CVE-2026-1263 CVE-2025-31806
v3.8.02 CVEs
CVE-2026-1263 CVE-2025-31806
v3.7.32 CVEs
CVE-2026-1263 CVE-2025-31806
v3.7.22 CVEs
CVE-2026-1263 CVE-2025-31806
v3.7.12 CVEs
CVE-2026-1263 CVE-2025-31806
v3.7.02 CVEs
CVE-2026-1263 CVE-2025-31806
v3.6.02 CVEs
CVE-2026-1263 CVE-2025-31806
v3.5.02 CVEs
CVE-2026-1263 CVE-2025-31806
v3.4.12 CVEs
CVE-2026-1263 CVE-2025-31806
v3.4.02 CVEs
CVE-2026-1263 CVE-2025-31806
v3.3.02 CVEs
CVE-2026-1263 CVE-2025-31806
v3.2.12 CVEs
CVE-2026-1263 CVE-2025-31806
v3.2.02 CVEs
CVE-2026-1263 CVE-2025-31806
v3.1.22 CVEs
CVE-2026-1263 CVE-2025-31806
v3.1.12 CVEs
CVE-2026-1263 CVE-2025-31806
v3.1.02 CVEs
CVE-2026-1263 CVE-2025-31806
v3.0.32 CVEs
CVE-2026-1263 CVE-2025-31806
v3.0.22 CVEs
CVE-2026-1263 CVE-2025-31806
v3.0.12 CVEs
CVE-2026-1263 CVE-2025-31806
Code Analysis
Analyzed Mar 16, 2026

Webling Code Analysis

Dangerous Functions
2
Raw SQL Queries
19
31 prepared
Unescaped Output
151
190 escaped
Nonce Checks
8
Capability Checks
4
File Operations
9
External Requests
0
Bundled Libraries
0

Dangerous Functions Found

unserialize<?php echo self::groupselector(unserialize($data['groups'])) ?>src\admin\pages\memberlist_edit.php:100
unserialize$groupIds = unserialize($listconfig['groups']);src\helpers\WeblingMemberlistHelper.php:23

SQL Query Safety

62% prepared50 total queries

Output Escaping

56% escaped341 total outputs
Data Flows · Security
4 unsanitized

Data Flow Analysis

12 flows4 with unsanitized paths
webling_form_submit (src\actions\webling_form_submit.php:12)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Webling Attack Surface

Entry Points3
Unprotected1

REST API Routes 1

GET/wp-json/webling/v1/memberimagesrc\actions\webling_rest_api.php:7

Shortcodes 2

[webling_memberlist] webling.php:57
[webling_form] webling.php:58
WordPress Hooks 13
filterpre_update_option_webling-optionssrc\admin\actions\init.php:10
actionadmin_initsrc\admin\admin.php:32
actionadmin_initsrc\admin\admin.php:33
actionadmin_post_save_memberlistsrc\admin\admin.php:37
actionadmin_post_save_formsrc\admin\admin.php:38
actionadmin_menusrc\admin\admin.php:42
actionadmin_enqueue_scriptssrc\admin\admin.php:48
actionupdate_option_webling-optionssrc\admin\admin.php:51
actionadmin_post_webling-clear-cachesrc\admin\admin.php:54
actionplugins_loadedwebling.php:47
actioninitwebling.php:61
actionwp_headwebling.php:64
actionrest_api_initwebling.php:67
Maintenance & Trust

Webling Maintenance & Trust

Maintenance Signals

WordPress version tested6.7.5
Last updatedMar 3, 2026
PHP min version5.6
Downloads12K

Community Trust

Rating100/100
Number of ratings3
Active installs500
Alternatives

Webling Alternatives

VereinOnline.org

VereinOnline.org

vereinonline

A
100

Zeigt VereinOnline-Inhalte in WordPress an. http://www.vereinonline.org/

200 No CVEs
Dr. Flex

Dr. Flex

dr-flex

A
91

Das offizielle Dr. Flex® Wordpress Plugin zur einfachen Einbindung des Dr. Flex® Buchungstools auf Ihrer Website.

1K 1 CVE
easyVerein

easyVerein

easyverein

A
100

Das offizielle easyVerein Plugin für WordPress.

300 No CVEs
Vereinsantrag Formular

Vereinsantrag Formular

vereinsantrag-formular

A
100

Bindet Onlineformulare für Mitgliedsanträge, Änderungen und Kündigungen auf Vereinswebsites ein – responsiv und datenschutzkonform.

50 No CVEs
Microtango

Microtango

microtango

A
99

Microtango WordPress integration. This plugin requires a Microtango subscription. It loads data from the Microtango REST API and renders it on your si &hellip;

20 1 CVE
Developer Profile

Webling Developer Profile

uSystems

1 plugin · 500 total installs

78
trust score
Avg Security Score
98/100
Avg Patch Time
176 days
View full developer profile
Detection Fingerprints

How We Detect Webling

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/webling/css/admin.css/wp-content/plugins/webling/js/admin.js/wp-content/plugins/webling/js/jquery-ui-1.12.1.custom/jquery-ui.min.css
Script Paths
/wp-content/plugins/webling/js/admin.js
Version Parameters
webling/css/admin.css?pluginver=webling/js/admin.js?pluginver=webling/js/jquery-ui-1.12.1.custom/jquery-ui.min.css?pluginver=

HTML / DOM Fingerprints

CSS Classes
webling-memberlistwebling-memberwebling-form-field
HTML Comments
<!-- START Webling Memberlist --><!-- END Webling Memberlist --><!-- START Webling Form --><!-- END Webling Form -->+1 more
Data Attributes
data-webling-list-iddata-webling-member-iddata-webling-field-id
JS Globals
webling_admin_ajax_objectwebling_memberlist_data
REST Endpoints
/wp-json/webling/v1/memberimage
Shortcode Output
<div class="webling-memberlist"><form class="webling-form" method="post">
FAQ

Frequently Asked Questions about Webling