CVE-2026-28108

Vulnerability

Description The LambertGroup - AllInOne - Banner with Thumbnails plugin for WordPress (version 3.8 and earlier) is vulnerable to reflected Cross-Site Scripting (XSS). This arises due to improper neutralization of user-supplied input in web page generation [1]. An attacker can craft a URL containing malicious script that, when visited, executes in the context of the victim's browser.

Exploitation

Exploitation requires user interaction, such as clicking a crafted link or visiting a specially prepared page. No authentication is needed to trigger the vulnerability, but the target user must be logged into WordPress or have access to the affected page. Given the plugin's wide use, mass-exploit campaigns are possible [1].

Impact

Successful exploitation allows an attacker to inject arbitrary HTML and JavaScript code. This can be used to perform actions like redirecting visitors to malicious sites, displaying advertisements, stealing session cookies, or defacing the website. The CVSS score is 7.1 (High) [1].

Mitigation

As of the advisory, no official patch is available. The recommended action is to update the plugin to a patched version once released. In the meantime, a virtual patch or mitigation rule from Patchstack can block exploitation attempts [1]. Users should disable the plugin if an update is not feasible.