LambertGroup - AllInOne - Banner with Thumbnails CVE-2026-28108
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup LambertGroup - AllInOne - Banner with Thumbnails all-in-one-thumbnailsBanner allows Reflected XSS.This issue affects LambertGroup - AllInOne - Banner with Thumbnails: from n/a through <= 3.8.
AnalysisAI
Reflected cross-site scripting (XSS) in LambertGroup AllInOne Banner with Thumbnails WordPress plugin through version 3.8 allows unauthenticated remote attackers to inject malicious scripts via crafted URLs. The vulnerability requires user interaction (clicking a malicious link) but needs no authentication. Exploitation probability is low (EPSS 0.04%, 10th percentile), with no confirmed active exploitation or public POC at time of analysis. Changed scope (S:C) in CVSS vector indicates potential to impact resources beyond the vulnerable component.
Technical ContextAI
This is a WordPress plugin vulnerability in the LambertGroup AllInOne Banner with Thumbnails component (all-in-one-thumbnailsBanner). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), a classic web application security flaw where user-supplied input is rendered in HTML output without proper sanitization or encoding. Reflected XSS occurs when attacker-controlled data from the HTTP request (typically URL parameters or form inputs) is immediately echoed back in the response page without validation. In WordPress plugin contexts, this commonly manifests in admin panels, shortcode handlers, or AJAX endpoints that process GET/POST parameters. The vulnerability affects all versions through 3.8, suggesting the input handling flaw exists in core plugin functionality rather than a recently introduced regression.
Affected ProductsAI
The vulnerability affects LambertGroup AllInOne Banner with Thumbnails WordPress plugin, specifically all versions from the initial release through version 3.8 inclusive. The plugin identifier is 'all-in-one-thumbnailsBanner' in the WordPress plugin repository. The vulnerability was reported by the Patchstack security research team (audit@patchstack.com) and documented in their vulnerability database at https://patchstack.com/database/Wordpress/Plugin/all-in-one-thumbnailsBanner/vulnerability/wordpress-lambertgroup-allinone-banner-with-thumbnails-plugin-3-8-reflected-cross-site-scripting-xss-vulnerability. No CPE string is provided in the available data, and vendor advisories from LambertGroup directly are not confirmed at time of analysis.
RemediationAI
Check for updated versions of the LambertGroup AllInOne Banner with Thumbnails plugin above version 3.8 in the WordPress plugin repository or through the WordPress admin dashboard plugin updater. The Patchstack database reference at https://patchstack.com/database/Wordpress/Plugin/all-in-one-thumbnailsBanner/vulnerability/wordpress-lambertgroup-allinone-banner-with-thumbnails-plugin-3-8-reflected-cross-site-scripting-xss-vulnerability should be consulted for confirmed patched version information, though exact fix version is not independently verified from provided data. If no patched version is available or upgrade is not immediately feasible, implement compensating controls: disable the plugin entirely if not actively used, restrict plugin access to trusted administrator IP addresses via .htaccess or firewall rules (though this may break legitimate functionality), deploy web application firewall (WAF) rules to detect and block XSS patterns in requests to plugin endpoints (with risk of false positives blocking legitimate banner thumbnail parameters), and educate users with plugin access to avoid clicking untrusted links while authenticated to WordPress admin. Note that WAF-based mitigation requires careful tuning to avoid blocking legitimate banner configuration activities.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today