Skip to main content

UberSlider MouseInteraction CVE-2026-28101

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-05 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 23, 2026 - 00:19 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 05, 2026 - 06:16 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup UberSlider MouseInteraction uberSlider_mouseinteraction allows Reflected XSS.This issue affects UberSlider MouseInteraction: from n/a through <= 2.3.

AnalysisAI

Reflected cross-site scripting in UberSlider MouseInteraction WordPress plugin versions ≤2.3 allows remote attackers to execute arbitrary JavaScript in victim browsers through crafted URLs requiring user interaction. Reported by Patchstack audit team. EPSS score of 0.04% (10th percentile) indicates low probability of widespread exploitation. No CISA KEV listing or public proof-of-concept identified at time of analysis.

Technical ContextAI

This is a reflected XSS vulnerability (CWE-79) in a WordPress plugin that provides mouse-interaction-based slider functionality. The plugin fails to properly sanitize user-supplied input before rendering it in dynamically generated web pages. The flaw allows malicious JavaScript injection through URL parameters or form inputs that are reflected back to users without adequate HTML encoding or Content Security Policy protections. Affected component: UberSlider MouseInteraction plugin versions from initial release through 2.3, running on WordPress installations where the plugin is active.

Affected ProductsAI

UberSlider MouseInteraction WordPress plugin versions 2.3 and earlier, developed by LambertGroup. The vulnerability affects all installations running these versions regardless of WordPress core version. Vendor advisory and technical details available through Patchstack database at https://patchstack.com/database/Wordpress/Plugin/uberSlider_mouseinteraction/vulnerability/wordpress-uberslider-mouseinteraction-plugin-2-3-reflected-cross-site-scripting-xss-vulnerability (reference provided by Patchstack security audit team).

RemediationAI

Upgrade to UberSlider MouseInteraction version 2.4 or later if available (check WordPress plugin repository or vendor site for patched release addressing CVE-2026-28101). If no patched version exists, implement compensating controls: disable the plugin entirely if not business-critical, restrict plugin access to trusted administrator accounts only via WordPress role management, deploy Content Security Policy headers blocking inline script execution with directives like script-src 'self' to mitigate XSS impact, implement Web Application Firewall rules filtering reflected XSS patterns in query parameters (though this may cause false positives for legitimate slider interactions). Monitor WordPress plugin repository and Patchstack advisory page for patch release announcements. Note that CSP deployment may break legitimate plugin functionality if it relies on inline JavaScript for mouse interaction effects.

Share

CVE-2026-28101 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy