LBG Zoominoutslider CVE-2026-28103
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup LBG Zoominoutslider lbg_zoominoutslider allows Reflected XSS.This issue affects LBG Zoominoutslider: from n/a through <= 5.4.5.
AnalysisAI
Reflected cross-site scripting in LBG Zoominoutslider WordPress plugin versions through 5.4.5 allows remote attackers to execute arbitrary JavaScript in victim browsers via crafted URLs requiring user interaction. EPSS exploitation probability is very low (0.04%, 10th percentile), and no active exploitation is confirmed. A Patchstack database entry documents the vulnerability, but no vendor-released patch version is identified at time of analysis.
Technical ContextAI
This is a reflected XSS vulnerability (CWE-79) in the LBG Zoominoutslider WordPress plugin, a slider component for WordPress sites. The flaw stems from improper neutralization of user-supplied input during web page generation, allowing attacker-controlled data to be rendered as executable JavaScript without sufficient sanitization or encoding. The CVSS vector AV:N indicates network-based exploitation, while S:C (scope changed) means the malicious script executes in the victim's browser context rather than the vulnerable server application itself. The vulnerability affects all versions through 5.4.5, suggesting a long-standing input validation gap in the plugin's request handling code.
Affected ProductsAI
LambertGroup LBG Zoominoutslider WordPress plugin versions from earliest release through 5.4.5 are confirmed vulnerable according to Patchstack vulnerability database entry. The vulnerability was reported by audit@patchstack.com. Organizations should verify plugin version via WordPress admin dashboard under Plugins section. Patchstack database entry available at https://patchstack.com/database/Wordpress/Plugin/lbg_zoominoutslider/vulnerability/wordpress-lbg-zoominoutslider-plugin-5-4-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve for additional technical details.
RemediationAI
No vendor-released patch version confirmed from available data. Organizations using LBG Zoominoutslider should check WordPress plugin repository or LambertGroup vendor channels for updates beyond version 5.4.5. If no patch is available, implement compensating controls: disable or uninstall the lbg_zoominoutslider plugin if not business-critical, as removing the vulnerable code eliminates attack surface entirely. If plugin functionality is required, configure Web Application Firewall rules to block suspected XSS payloads in URL parameters targeting plugin endpoints (trade-off: may cause false positives for legitimate dynamic content). Deploy Content Security Policy headers with script-src 'self' directive to prevent inline script execution (trade-off: may break plugin's legitimate inline JavaScript if not carefully tuned). Educate users not to click untrusted links to WordPress admin or site pages. Monitor Patchstack database entry at reference URL for patch release notifications.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today