CVE-2026-28110

Vulnerability

Analysis

The CVE-2026-28110 vulnerability is a reflected cross-site scripting (XSS) flaw found in the LambertGroup - AllInOne - Banner with Playlist WordPress plugin, affecting versions from n/a up to and including 3.8. The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML or JavaScript code into a response page. This type of flaw falls under the category of Improper Neutralization of Input During Web Page Generation ([1]).

Attack

Vector and Requirements

Exploitation of this vulnerability requires user interaction. An attacker must trick a privileged user (e.g., an administrator) into clicking a crafted malicious link, visiting a specially constructed page, or submitting a form. The attacker does not need any prior authentication or network-level access beyond typical web interaction. Because the attack is reflected, the injected payload does not persist on the server but executes only when the victim visits the attacker's crafted URL ([1]).

Impact

Successful exploitation allows the attacker to execute arbitrary scripts in the context of the victim's browser session on the affected WordPress site. This can lead to a range of actions, such as redirecting visitors to malicious sites, injecting unwanted advertisements, or stealing sensitive session data. The CVSS v3.1 score is 7.1 (High), indicating moderate danger with potential for mass exploitation in automated campaigns targeting thousands of websites regardless of their size or popularity ([1]).

Mitigation

Status

As of the publication date (2026-03-05), no official patch from the plugin vendor has been confirmed. Users are strongly advised to update the plugin as soon as a patched version becomes available. In the interim, Patchstack has issued a mitigation rule that can block attacks until an official fix is tested and deployed. Site owners unable to immediately update or apply the mitigation should consider restricting access to the plugin’s functionality or increasing security monitoring for reflected XSS attempts ([1]).