CVE-2026-28109

The LambertGroup AllInOne Content Slider plugin for WordPress versions up to and including 3.8 suffers from a reflected cross-site scripting vulnerability due to improper neutralization of user input during web page generation. This allows an attacker to craft a URL that, when visited, injects arbitrary HTML and JavaScript into the site [1].

Exploitation requires user interaction, typically a privileged user clicking a malicious link or visiting a crafted page. Despite this requirement, the vulnerability is considered moderately dangerous and is expected to be exploited in mass campaigns targeting thousands of websites. No authentication is needed for the attack vector, and the injected script executes in the context of the victim's browser [1].

Successful exploitation enables the attacker to inject malicious scripts such as redirects, advertisements, or other HTML payloads. These scripts execute when other users visit the affected site, potentially leading to further attacks or compromise of site visitors [1].

As of publication, no official patch has been released for this vulnerability. Patchstack has provided a virtual patch or mitigation rule to block attacks until an update becomes available. Users are advised to apply the mitigation rule or update the plugin once a patched version is released [1].