CVE-2026-28100

Vulnerability

Overview

The UberSlider PerpetuumMobile WordPress plugin versions up to and including 2.3.0 are vulnerable to Reflected Cross-Site Scripting (XSS) due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript into a page, which is then reflected back to the victim's browser.

Exploitation

Details

Exploitation requires user interaction — a victim must click a crafted link or visit a specially prepared page [1]. No authentication is needed to trigger the reflected payload, making the attack surface broad. The vulnerability is classified as High severity (CVSS 7.1) and is expected to be used in mass-exploit campaigns targeting thousands of WordPress sites regardless of size or popularity [1].

Impact

Successful exploitation enables an attacker to execute malicious scripts, such as redirects, advertisements, or other HTML payloads, to be executed in the context of the victim's browser when they visit the affected site [1]. This can lead to session hijacking, defacement, or further compromise of the site and its visitors.

Mitigation

Users should immediately update the plugin to a patched version if available. As a temporary measure, Patchstack has issued a mitigation rule to block attacks until an official patch can be tested and safely applied [1]. If updating is not possible, consult your hosting provider or web host or developer for assistance [1].