UberSlider Ultra CVE-2026-28099
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup UberSlider Ultra uberSlider_ultra allows Reflected XSS.This issue affects UberSlider Ultra: from n/a through <= 2.3.
AnalysisAI
Reflected cross-site scripting in UberSlider Ultra WordPress plugin (versions ≤2.3) enables remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but needs no authentication. EPSS exploitation probability is low (0.04%, 10th percentile), and no active exploitation or public proof-of-concept has been identified at time of analysis. The changed scope (S:C) in the CVSS vector indicates potential impact beyond the vulnerable component itself.
Technical ContextAI
This is a reflected cross-site scripting (CWE-79) vulnerability in UberSlider Ultra, a WordPress slider plugin by LambertGroup. Reflected XSS occurs when user-supplied input is immediately returned in the HTTP response without proper sanitization or output encoding. In WordPress plugins, this typically manifests in admin interfaces or shortcode handlers that echo request parameters (GET/POST) directly into HTML output. The vulnerability allows injection of malicious JavaScript code that executes in the security context of the WordPress site. The changed scope (S:C) in CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L suggests the injected script can affect resources beyond the plugin itself, potentially accessing WordPress session cookies, CSRF tokens, or performing actions as the authenticated victim.
Affected ProductsAI
WordPress plugin UberSlider Ultra by LambertGroup, all versions from earliest release through version 2.3 inclusive. The vulnerability report sourced from Patchstack (audit@patchstack.com) provides specific version boundary at 2.3. No CPE identifier was provided in available data. Vendor advisory and detailed affected version enumeration available at https://patchstack.com/database/Wordpress/Plugin/uberSlider_ultra/vulnerability/wordpress-uberslider-ultra-plugin-2-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
RemediationAI
Upgrade UberSlider Ultra to a version newer than 2.3 if the vendor has released a patched version. Check the WordPress plugin repository or contact LambertGroup directly for the latest secure version, as the exact fix version was not specified in available data. Review the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/uberSlider_ultra/ for vendor-confirmed patch status and release notes. If no patch is available, implement compensating controls: restrict plugin access to trusted administrators only through WordPress role management, deploy web application firewall rules to filter XSS patterns in requests to plugin endpoints (though this may cause false positives with legitimate slider content containing HTML), educate administrative users about phishing risks and link verification before clicking, and consider disabling the plugin until a patch is released if slider functionality is non-critical. Monitor WordPress access logs for suspicious query parameters containing script tags or JavaScript event handlers targeting UberSlider endpoints.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today