Kate Kligman

Name of the Vulnerable Software and Affected Versions Webling plugin for WordPress versions prior to 3.9.1 Description The Webling plugin for WordPress is susceptible to Stored Cross-Site Scripting due to insufficient input sanitization, insufficient output escaping, and missing capabilities checks in the `webling admin save form` and `webling admin save memberlist` functions. Authenticated attackers with Subscriber-level access or higher can inject arbitrary web scripts into Webling forms and memberlists. These scripts will execute when an administrator views the corresponding form or memberlist area within the WordPress admin interface. Recommendations Update the Webling plugin to version 3.9.1 or later.

**Name of the Vulnerable Software and Affected Versions** The 1 Click WordPress Migration Plugin versions prior to 2.3 **Description** The issue is related to a missing capability check on the `start restore` function, allowing authenticated attackers with Subscriber-level access and above to upload arbitrary files on the affected site's server. This could potentially lead to remote code execution. **Recommendations** For versions up to and including 2.2, update to version 2.3 or later to resolve the issue. As a temporary workaround, consider disabling the `start restore` function until a patch is available. Restrict access to file upload functionality to minimize the risk of exploitation.