Skip to main content

LBG Zoominoutslider CVE-2026-28103

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-05 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 23, 2026 - 00:18 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 05, 2026 - 06:16 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup LBG Zoominoutslider lbg_zoominoutslider allows Reflected XSS.This issue affects LBG Zoominoutslider: from n/a through <= 5.4.5.

AnalysisAI

Reflected cross-site scripting in LBG Zoominoutslider WordPress plugin versions through 5.4.5 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs requiring user interaction. EPSS exploitation probability is very low (0.04%, 10th percentile), and no active exploitation is confirmed. A Patchstack database entry documents the vulnerability, but no vendor-released patch version is identified at time of analysis.

Technical ContextAI

This is a reflected XSS vulnerability (CWE-79) in the LBG Zoominoutslider WordPress plugin, a slider component for WordPress sites. The flaw stems from improper neutralization of user-supplied input during web page generation, allowing attacker-controlled data to be rendered as executable JavaScript without sufficient sanitization or encoding. The CVSS vector AV:N indicates network-based exploitation, while S:C (scope changed) means the malicious script executes in the victim's browser context rather than the vulnerable server application itself. The vulnerability affects all versions through 5.4.5, suggesting a long-standing input validation gap in the plugin's request handling code.

Affected ProductsAI

LambertGroup LBG Zoominoutslider WordPress plugin versions from earliest release through 5.4.5 are confirmed vulnerable according to Patchstack vulnerability database entry. The vulnerability was reported by audit@patchstack.com. Organizations should verify plugin version via WordPress admin dashboard under Plugins section. Patchstack database entry available at https://patchstack.com/database/Wordpress/Plugin/lbg_zoominoutslider/vulnerability/wordpress-lbg-zoominoutslider-plugin-5-4-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for additional technical details.

RemediationAI

No vendor-released patch version confirmed from available data. Organizations using LBG Zoominoutslider should check WordPress plugin repository or LambertGroup vendor channels for updates beyond version 5.4.5. If no patch is available, implement compensating controls: disable or uninstall the lbg_zoominoutslider plugin if not business-critical, as removing the vulnerable code eliminates attack surface entirely. If plugin functionality is required, configure Web Application Firewall rules to block suspected XSS payloads in URL parameters targeting plugin endpoints (trade-off: may cause false positives for legitimate dynamic content). Deploy Content Security Policy headers with script-src 'self' directive to prevent inline script execution (trade-off: may break plugin's legitimate inline JavaScript if not carefully tuned). Educate users not to click untrusted links to WordPress admin or site pages. Monitor Patchstack database entry at reference URL for patch release notifications.

Share

CVE-2026-28103 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy