AllInOne Content Slider CVE-2026-28109
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup LambertGroup - AllInOne - Content Slider all-in-one-contentSlider allows Reflected XSS.This issue affects LambertGroup - AllInOne - Content Slider: from n/a through <= 3.8.
AnalysisAI
Reflected cross-site scripting (XSS) in LambertGroup AllInOne Content Slider WordPress plugin through version 3.8 enables remote attackers to execute arbitrary JavaScript in victim browsers by tricking users into clicking malicious links. The vulnerability allows content injection with low-level impacts across confidentiality, integrity, and availability due to scope change (S:C in CVSS vector). Reported by Patchstack security researchers, EPSS exploitation probability is very low (0.04%, 10th percentile), indicating minimal observed real-world targeting despite no authentication requirement.
Technical ContextAI
This is a reflected XSS vulnerability (CWE-79) in the WordPress plugin LambertGroup AllInOne Content Slider. Reflected XSS occurs when user-supplied input is immediately returned in web page output without proper sanitization or encoding, allowing attackers to inject malicious JavaScript that executes in the victim's browser context. The CVSS vector shows Scope Changed (S:C), meaning the vulnerable component (the plugin) runs in a different security context than the impacted component (user browser/WordPress session), enabling attacks beyond the plugin's own boundaries. WordPress plugins process HTTP parameters and render dynamic content, making input validation critical. The lack of proper input neutralization during page generation allows crafted payloads in URL parameters or form inputs to be reflected directly into HTML output.
Affected ProductsAI
LambertGroup AllInOne Content Slider WordPress plugin versions from unknown starting version through 3.8 (inclusive) are confirmed vulnerable per Patchstack advisory. The plugin identifier is all-in-one-contentSlider in WordPress plugin repository. All WordPress installations running this plugin at version 3.8 or earlier should be considered affected. Vendor advisory available at https://patchstack.com/database/Wordpress/Plugin/all-in-one-contentSlider/vulnerability/wordpress-lambertgroup-allinone-content-slider-plugin-3-8-reflected-cross-site-scripting-xss-vulnerability.
RemediationAI
Check current plugin version in WordPress admin dashboard under Plugins section and verify if AllInOne Content Slider version 3.8 or earlier is installed. Patchstack advisory does not explicitly confirm availability of patched version 3.9 or higher at time of analysis - contact LambertGroup directly or monitor WordPress plugin repository for security updates. If patched version becomes available, upgrade immediately through WordPress admin interface (Dashboard → Plugins → Update). Until official patch is deployed, consider temporary compensating controls: disable the plugin if content slider functionality is non-critical (eliminates attack surface entirely but removes plugin features), restrict plugin usage to administrator-only pages if possible (limits exposure though not foolproof for reflected XSS), implement Web Application Firewall rules to detect and block common XSS patterns in requests to plugin endpoints (may cause false positives requiring tuning), and educate users about not clicking untrusted links to WordPress admin areas (reduces but does not eliminate UI:R exploitation). Monitor Patchstack advisory URL for vendor response timeline.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today