CVE-2026-28103

Vulnerability

Overview

The LBG Zoominoutslider WordPress plugin versions up to and including 5.4.5 suffer from a reflected cross-site scripting (XSS) vulnerability caused by improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML or JavaScript code into a dynamically generated page response.

Attack

Vector and Prerequisites

Exploitation does not require authentication but does depend on user interaction. The attacker must trick a privileged user (e.g., an administrator) into clicking a crafted link, visiting a specially prepared page, or submitting a malicious form [1]. The injected script executes in the context of the victim's session and within the affected WordPress admin or site page.

Impact

Successful exploitation enables the attacker to inject malicious scripts such as redirects, advertisements, or other HTML payloads. When the victim visits the compromised page, the script can perform actions like session hijacking, defacement, or phishing within the trusted site context [1]. This type of XSS is frequently used in mass-exploit campaigns targeting thousands of websites [1].

Mitigation

Status

Users should update the plugin immediately to a patched version beyond 5.4.5. As an interim measure, Patchstack has released a mitigation rule that blocks attacks until an official patch can be safely applied [1]. Organizations unable to update should consult their hosting provider or web developer for assistance [1].