Skip to main content

LambertGroup - AllInOne - Banner with Thumbnails CVE-2026-28108

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-05 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 23, 2026 - 00:16 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 05, 2026 - 06:16 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup LambertGroup - AllInOne - Banner with Thumbnails all-in-one-thumbnailsBanner allows Reflected XSS.This issue affects LambertGroup - AllInOne - Banner with Thumbnails: from n/a through <= 3.8.

AnalysisAI

Reflected cross-site scripting (XSS) in LambertGroup AllInOne Banner with Thumbnails WordPress plugin through version 3.8 allows unauthenticated remote attackers to inject malicious scripts via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but needs no authentication. Exploitation probability is low (EPSS 0.04%, 10th percentile), with no confirmed active exploitation or public POC at time of analysis. Changed scope (S:C) in CVSS vector indicates potential to impact resources beyond the vulnerable component.

Technical ContextAI

This is a WordPress plugin vulnerability in the LambertGroup AllInOne Banner with Thumbnails component (all-in-one-thumbnailsBanner). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic web application security flaw where user-supplied input is rendered in HTML output without proper sanitization or encoding. Reflected XSS occurs when attacker-controlled data from the HTTP request (typically URL parameters or form inputs) is immediately echoed back in the response page without validation. In WordPress plugin contexts, this commonly manifests in admin panels, shortcode handlers, or AJAX endpoints that process GET/POST parameters. The vulnerability affects all versions through 3.8, suggesting the input handling flaw exists in core plugin functionality rather than a recently introduced regression.

Affected ProductsAI

The vulnerability affects LambertGroup AllInOne Banner with Thumbnails WordPress plugin, specifically all versions from the initial release through version 3.8 inclusive. The plugin identifier is 'all-in-one-thumbnailsBanner' in the WordPress plugin repository. The vulnerability was reported by the Patchstack security research team (audit@patchstack.com) and documented in their vulnerability database at https://patchstack.com/database/Wordpress/Plugin/all-in-one-thumbnailsBanner/vulnerability/wordpress-lambertgroup-allinone-banner-with-thumbnails-plugin-3-8-reflected-cross-site-scripting-xss-vulnerability. No CPE string is provided in the available data, and vendor advisories from LambertGroup directly are not confirmed at time of analysis.

RemediationAI

Check for updated versions of the LambertGroup AllInOne Banner with Thumbnails plugin above version 3.8 in the WordPress plugin repository or through the WordPress admin dashboard plugin updater. The Patchstack database reference at https://patchstack.com/database/Wordpress/Plugin/all-in-one-thumbnailsBanner/vulnerability/wordpress-lambertgroup-allinone-banner-with-thumbnails-plugin-3-8-reflected-cross-site-scripting-xss-vulnerability should be consulted for confirmed patched version information, though exact fix version is not independently verified from provided data. If no patched version is available or upgrade is not immediately feasible, implement compensating controls: disable the plugin entirely if not actively used, restrict plugin access to trusted administrator IP addresses via .htaccess or firewall rules (though this may break legitimate functionality), deploy web application firewall (WAF) rules to detect and block XSS patterns in requests to plugin endpoints (with risk of false positives blocking legitimate banner thumbnail parameters), and educate users with plugin access to avoid clicking untrusted links while authenticated to WordPress admin. Note that WAF-based mitigation requires careful tuning to avoid blocking legitimate banner configuration activities.

Share

CVE-2026-28108 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy