CVE-2026-28101

Vulnerability

Overview

The UberSlider MouseInteraction plugin for WordPress (versions up to and including 2.3) contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw enables an attacker to inject arbitrary HTML and JavaScript into a page, which is vulnerable page.

Exploitation

Exploitation requires user interaction—a privileged user must click a crafted link, visit a specially prepared page, or submit a malicious form [1]. The attack does not require authentication from the victim beyond being logged into WordPress, but the target user must have sufficient privileges to trigger the vulnerable functionality.

Impact

Successful exploitation allows an attacker to execute arbitrary scripts in the context of the victim's browser session. This can be used to inject redirects, advertisements, or other HTML payloads that execute when other users visit the site [1]. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Mitigation

As of the publication date, no official patch has been released. Users are advised to update the plugin immediately when a fix becomes available. In the interim, Patchstack has issued a mitigation rule to block attacks until an official patch can be safely applied [1]. If unable to update, users should contact their hosting provider or web developer for assistance [1].