LambertGroup AllInOne Banner with Playlist CVE-2026-28110
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup LambertGroup - AllInOne - Banner with Playlist all-in-one-bannerWithPlaylist allows Reflected XSS.This issue affects LambertGroup - AllInOne - Banner with Playlist: from n/a through <= 3.8.
AnalysisAI
Reflected cross-site scripting in the LambertGroup AllInOne Banner with Playlist WordPress plugin (versions ≤3.8) allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. With EPSS exploitation probability at 0.04% (10th percentile), this represents a low likelihood of automated or widespread exploitation despite the network attack vector. No active exploitation or public POC has been identified at time of analysis. Impact requires user interaction (clicking malicious link), limiting autonomous exploitation scenarios.
Technical ContextAI
This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), the foundational weakness class for cross-site scripting attacks. The plugin fails to properly sanitize or encode user-supplied input before reflecting it back in dynamically generated web pages. The WordPress plugin architecture typically exposes multiple endpoints for AJAX handlers, shortcode rendering, or admin interfaces where unsanitized GET/POST parameters can be injected into HTML output. The CVSS scope change (S:C) indicates the vulnerable component (WordPress plugin) operates under different privileges than the impacted component (user browser context), characteristic of client-side injection attacks where attacker-controlled script executes with the victim's session privileges.
Affected ProductsAI
The vulnerability affects the LambertGroup AllInOne Banner with Playlist WordPress plugin, all versions from an unspecified initial release through version 3.8 inclusive. Patchstack database identifies this as a WordPress plugin available through the official WordPress.org repository. Organizations can verify exposure by checking installed plugin versions in WordPress admin dashboard under Plugins > Installed Plugins, searching for 'LambertGroup' or 'all-in-one-bannerWithPlaylist'. The vendor-assigned slug is all-in-one-bannerWithPlaylist per the Patchstack reference URL.
RemediationAI
Immediately upgrade LambertGroup AllInOne Banner with Playlist to version 3.9 or later if a patched release is available through the WordPress plugin repository. Verify patch availability at https://patchstack.com/database/Wordpress/Plugin/all-in-one-bannerWithPlaylist/vulnerability/wordpress-lambertgroup-allinone-banner-with-playlist-plugin-3-8-reflected-cross-site-scripting-xss-vulnerability. If no patch exists yet, implement compensating controls: disable the plugin entirely if not business-critical (eliminates attack surface with zero performance impact), restrict plugin access to trusted admin IP ranges via WordPress security plugins or web application firewall rules (reduces social engineering targets but creates operational overhead for legitimate remote admins), or deploy Content Security Policy headers with strict script-src directives to prevent inline JavaScript execution (may break plugin functionality requiring testing in staging environment first). For WordPress installations behind reverse proxies or WAFs, configure rules to inspect and sanitize query parameters targeting plugin endpoints, though this requires identifying specific vulnerable parameters through code review. Monitor WordPress access logs for suspicious query strings containing JavaScript event handlers (onclick, onerror, onload) or script tags targeting plugin paths.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today