UberSlider Classic CVE-2026-28102
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup UberSlider Classic uberSlider_classic allows Reflected XSS.This issue affects UberSlider Classic: from n/a through <= 2.5.
AnalysisAI
Reflected cross-site scripting in UberSlider Classic WordPress plugin through version 2.5 allows remote attackers to execute malicious JavaScript in victim browsers via crafted URLs. Exploitation requires user interaction (clicking malicious link). EPSS score of 0.04% (10th percentile) indicates minimal observed exploitation activity. No CISA KEV listing confirms this is not being actively exploited in widespread campaigns, though the low attack complexity and network vector make exploitation straightforward once a victim is socially engineered.
Technical ContextAI
This is a reflected XSS vulnerability (CWE-79) in the UberSlider Classic WordPress plugin, a slider/carousel component for WordPress sites. The vulnerability stems from improper neutralization of user input during HTML page generation, allowing attacker-controlled data to be reflected in the HTTP response without adequate sanitization or encoding. The plugin fails to validate or escape input parameters before rendering them in the browser context, enabling injection of arbitrary JavaScript. As a WordPress plugin vulnerability, exploitation depends on the plugin being installed and active on the target WordPress site. The CVSS scope change (S:C) indicates the vulnerability can affect resources beyond the vulnerable component itself, consistent with XSS attacks that execute in the victim's browser context rather than on the server.
Affected ProductsAI
UberSlider Classic WordPress plugin by LambertGroup, all versions through 2.5 inclusive. The vulnerability report from audit@patchstack.com indicates the entire version lineage up to and including version 2.5 is affected. Organizations can verify affected installations by checking WordPress admin panel under Plugins for 'UberSlider Classic' version 2.5 or earlier. The vulnerability exists in the WordPress plugin ecosystem, meaning only WordPress sites with this specific plugin installed and activated are vulnerable. Full vendor advisory available at https://patchstack.com/database/Wordpress/Plugin/uberSlider_classic/vulnerability/wordpress-uberslider-classic-plugin-2-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve
RemediationAI
Update UberSlider Classic plugin to version 2.6 or later if a patched version has been released. Check the WordPress plugin repository or vendor communications for updates. If no patch is available, remove or deactivate the UberSlider Classic plugin entirely if not business-critical, as this eliminates the attack surface completely with no functional impact for sites not using slider features. If the plugin must remain active, implement defense-in-depth controls: deploy Content Security Policy (CSP) headers with strict script-src directives to prevent execution of injected scripts (note: this may break legitimate inline JavaScript in themes/plugins and requires testing); enable WordPress security plugins with XSS filtering capabilities like Wordfence or Sucuri (these provide heuristic detection but are not foolproof against novel payloads); educate users not to click untrusted links to the WordPress site; monitor web application firewall (WAF) logs for XSS attack patterns in URL parameters targeting this plugin. These workarounds reduce but do not eliminate risk. Consult Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/uberSlider_classic/vulnerability/wordpress-uberslider-classic-plugin-2-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for vendor-confirmed remediation guidance.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today