CVE-2026-28102

Vulnerability

Overview

The UberSlider Classic plugin for WordPress versions up to and including 2.5 contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This vulnerability allows attackers to inject arbitrary HTML and JavaScript into the plugin's output.

Exploitation

Details

Successful exploitation requires user interaction, as the victim must click a malicious link, visit a specially crafted page, or submit a form [1]. The attack does not require authentication, making it accessible to any actor who can deliver a crafted URL to a user of a site running the vulnerable plugin [1].

Impact

An attacker can inject malicious scripts that may execute in the context of the victim's session. This can lead to redirects to malicious sites, display of unauthorized advertisements, or other HTML payloads that execute when visitors access the affected site [1]. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

As an immediate action, users should update the plugin to a patched version if available. If an update is not yet available, applying a security rule (e.g., from Patchstack) can block attacks until an official patch is released [1]. Users unable to update should consult their hosting provider or web developer for assistance [1].