CVE-2026-28127

Vulnerability

Overview The Lawyer Directory plugin for WordPress, versions n/a through 1.3.2, contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript into the response, which is then executed in the context of the victim's browser session.

Exploitation

Details Exploitation requires user interaction — a privileged user must click a crafted link, visit a specially visit a malicious page, or submit a form [1]. The attack does not require authentication from the attacker, but the victim must be logged in to the WordPress admin or have a role that can trigger the vulnerable page. The vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites regardless of size or popularity [1].

Impact

Successful exploitation enables an attacker to execute arbitrary scripts in the victim's browser, which can be used to redirect users to malicious sites, display unwanted advertisements, or inject other HTML payloads [1]. This can lead to defacement, phishing, or further compromise of the site's visitors.

Mitigation

As of the publication date, no official patch has been released for versions 1.3.2 and earlier. Users are advised to update the plugin immediately once a patched version becomes available [1]. In the interim, Patchstack has issued a mitigation rule to block attacks until an official fix can be tested and safely applied [1]. If updating is not possible, contacting the hosting provider or a web developer for assistance is recommended [1].