CVE-2026-28112

Vulnerability

Overview CVE-2026-28112 is a reflected Cross-Site Scripting (XSS) vulnerability in the LambertGroup AllInOne - Banner Rotator plugin for WordPress, affecting versions from n/a through 3.8. The issue stems from improper neutralization of user-supplied input during web page generation, allowing an attacker to inject arbitrary HTML and JavaScript into a response.[1]

Exploitation

Details Exploitation requires user interaction, such as clicking a malicious link, visiting a crafted page, or submitting a form. The attack can be initiated by a user with minimal privileges, but successful execution relies on an authenticated user performing these actions. The reflected nature means the payload is not stored on the server but is immediately reflected in the response, making it suitable for phishing or social engineering campaigns.[1]

Impact

If exploited, an attacker can inject malicious scripts that execute in the context of the victim's browser. This can lead to redirects to attacker-controlled sites, injection of advertisements, defacement, or theft of sensitive information such as session tokens. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of WordPress sites.[1]

Mitigation

As an immediate action, users should update the plugin to a patched version if available. If an official patch is not yet released, the Patchstack service offers a mitigation rule to block attacks until a fix can be safely applied. Users unable to update should consult their hosting provider or web developer for assistance.[1]