Skip to main content

AllInOne Content Slider CVE-2026-28109

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-05 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 23, 2026 - 00:16 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 05, 2026 - 06:16 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup LambertGroup - AllInOne - Content Slider all-in-one-contentSlider allows Reflected XSS.This issue affects LambertGroup - AllInOne - Content Slider: from n/a through <= 3.8.

AnalysisAI

Reflected cross-site scripting (XSS) in LambertGroup AllInOne Content Slider WordPress plugin through version 3.8 enables remote attackers to execute arbitrary JavaScript in victim browsers by tricking users into clicking malicious links. The vulnerability allows content injection with low-level impacts across confidentiality, integrity, and availability due to scope change (S:C in CVSS vector). Reported by Patchstack security researchers, EPSS exploitation probability is very low (0.04%, 10th percentile), indicating minimal observed real-world targeting despite no authentication requirement.

Technical ContextAI

This is a reflected XSS vulnerability (CWE-79) in the WordPress plugin LambertGroup AllInOne Content Slider. Reflected XSS occurs when user-supplied input is immediately returned in web page output without proper sanitization or encoding, allowing attackers to inject malicious JavaScript that executes in the victim's browser context. The CVSS vector shows Scope Changed (S:C), meaning the vulnerable component (the plugin) runs in a different security context than the impacted component (user browser/WordPress session), enabling attacks beyond the plugin's own boundaries. WordPress plugins process HTTP parameters and render dynamic content, making input validation critical. The lack of proper input neutralization during page generation allows crafted payloads in URL parameters or form inputs to be reflected directly into HTML output.

Affected ProductsAI

LambertGroup AllInOne Content Slider WordPress plugin versions from unknown starting version through 3.8 (inclusive) are confirmed vulnerable per Patchstack advisory. The plugin identifier is all-in-one-contentSlider in WordPress plugin repository. All WordPress installations running this plugin at version 3.8 or earlier should be considered affected. Vendor advisory available at https://patchstack.com/database/Wordpress/Plugin/all-in-one-contentSlider/vulnerability/wordpress-lambertgroup-allinone-content-slider-plugin-3-8-reflected-cross-site-scripting-xss-vulnerability.

RemediationAI

Check current plugin version in WordPress admin dashboard under Plugins section and verify if AllInOne Content Slider version 3.8 or earlier is installed. Patchstack advisory does not explicitly confirm availability of patched version 3.9 or higher at time of analysis - contact LambertGroup directly or monitor WordPress plugin repository for security updates. If patched version becomes available, upgrade immediately through WordPress admin interface (Dashboard → Plugins → Update). Until official patch is deployed, consider temporary compensating controls: disable the plugin if content slider functionality is non-critical (eliminates attack surface entirely but removes plugin features), restrict plugin usage to administrator-only pages if possible (limits exposure though not foolproof for reflected XSS), implement Web Application Firewall rules to detect and block common XSS patterns in requests to plugin endpoints (may cause false positives requiring tuning), and educate users about not clicking untrusted links to WordPress admin areas (reduces but does not eliminate UI:R exploitation). Monitor Patchstack advisory URL for vendor response timeline.

Share

CVE-2026-28109 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy