Skip to main content

UberSlider PerpetuumMobile CVE-2026-28100

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-05 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 23, 2026 - 00:20 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 05, 2026 - 06:16 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup UberSlider PerpetuumMobile uberSlider_perpetuummobile allows Reflected XSS.This issue affects UberSlider PerpetuumMobile: from n/a through <= 2.3.

AnalysisAI

Reflected cross-site scripting in UberSlider PerpetuumMobile WordPress plugin versions ≤2.3 allows remote attackers to inject malicious scripts that execute in victim browsers when users click crafted links. The vulnerability requires user interaction but no authentication, with CVSS 7.1 (High) severity due to scope change enabling attacks across security boundaries. EPSS score of 0.04% (10th percentile) indicates low current exploitation probability, with no CISA KEV listing or public exploit code identified at time of analysis. Patchstack vulnerability database confirms the flaw affects default plugin configurations.

Technical ContextAI

This vulnerability stems from improper neutralization of user-controlled input during web page generation (CWE-79), the classic root cause of cross-site scripting. The WordPress plugin UberSlider PerpetuumMobile (developed by LambertGroup) fails to sanitize reflected parameters before rendering them in HTTP responses. The CVSS vector indicates network-based attack delivery (AV:N) with low complexity (AC:L), meaning exploitation requires no special network positioning or race conditions. The changed scope (S:C) is significant - successful exploitation allows the attacker's injected JavaScript to execute in a different security context than the vulnerable plugin itself, potentially accessing WordPress session cookies, CSRF tokens, or other site resources protected by same-origin policy. The plugin appears to be a slider/carousel component for WordPress sites, suggesting the XSS likely occurs in configuration interfaces or URL parameters that control slide content or behavior.

Affected ProductsAI

WordPress plugin UberSlider PerpetuumMobile by LambertGroup, all versions through 2.3 inclusive. The version range starts from an unspecified initial release (indicated by 'from n/a' in the description) and includes version 2.3 as the last confirmed vulnerable version. CPE data not provided in available sources. Patchstack vulnerability database entry available at https://patchstack.com/database/Wordpress/Plugin/uberSlider_perpetuummobile/vulnerability/wordpress-uberslider-perpetuummobile-plugin-2-3-reflected-cross-site-scripting-xss-vulnerability serves as the primary reference for affected product confirmation. No vendor advisory from LambertGroup identified in provided references.

RemediationAI

No vendor-released patch identified at time of analysis - the Patchstack reference documents the vulnerability but does not link to a fixed version release from LambertGroup. WordPress site administrators running UberSlider PerpetuumMobile should implement the following compensating controls in priority order: (1) Remove or disable the plugin if slider functionality is not business-critical, eliminating attack surface entirely; (2) If the plugin must remain active, restrict administrative access using WordPress role-based access controls and enable two-factor authentication for all administrator accounts to reduce phishing success rates; (3) Implement Content Security Policy headers with strict script-src directives to prevent inline script execution, though this may interfere with legitimate plugin JavaScript and requires testing; (4) Deploy web application firewall rules to detect and block common XSS patterns in request parameters, accepting some risk of false positives. Monitor the Patchstack reference and WordPress plugin repository for future security updates. Each mitigation trades functionality or administrative overhead for reduced XSS risk - CSP in particular may break existing site features and requires careful tuning.

Share

CVE-2026-28100 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy