Skip to main content

LambertGroup AllInOne Banner with Playlist CVE-2026-28110

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-05 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 23, 2026 - 00:15 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 05, 2026 - 06:16 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup LambertGroup - AllInOne - Banner with Playlist all-in-one-bannerWithPlaylist allows Reflected XSS.This issue affects LambertGroup - AllInOne - Banner with Playlist: from n/a through <= 3.8.

AnalysisAI

Reflected cross-site scripting in the LambertGroup AllInOne Banner with Playlist WordPress plugin (versions ≤3.8) allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers via crafted URLs. With EPSS exploitation probability at 0.04% (10th percentile), this represents a low likelihood of automated or widespread exploitation despite the network attack vector. No active exploitation or public POC has been identified at time of analysis. Impact requires user interaction (clicking malicious link), limiting autonomous exploitation scenarios.

Technical ContextAI

This vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), the foundational weakness class for cross-site scripting attacks. The plugin fails to properly sanitize or encode user-supplied input before reflecting it back in dynamically generated web pages. The WordPress plugin architecture typically exposes multiple endpoints for AJAX handlers, shortcode rendering, or admin interfaces where unsanitized GET/POST parameters can be injected into HTML output. The CVSS scope change (S:C) indicates the vulnerable component (WordPress plugin) operates under different privileges than the impacted component (user browser context), characteristic of client-side injection attacks where attacker-controlled script executes with the victim's session privileges.

Affected ProductsAI

The vulnerability affects the LambertGroup AllInOne Banner with Playlist WordPress plugin, all versions from an unspecified initial release through version 3.8 inclusive. Patchstack database identifies this as a WordPress plugin available through the official WordPress.org repository. Organizations can verify exposure by checking installed plugin versions in WordPress admin dashboard under Plugins > Installed Plugins, searching for 'LambertGroup' or 'all-in-one-bannerWithPlaylist'. The vendor-assigned slug is all-in-one-bannerWithPlaylist per the Patchstack reference URL.

RemediationAI

Immediately upgrade LambertGroup AllInOne Banner with Playlist to version 3.9 or later if a patched release is available through the WordPress plugin repository. Verify patch availability at https://patchstack.com/database/Wordpress/Plugin/all-in-one-bannerWithPlaylist/vulnerability/wordpress-lambertgroup-allinone-banner-with-playlist-plugin-3-8-reflected-cross-site-scripting-xss-vulnerability. If no patch exists yet, implement compensating controls: disable the plugin entirely if not business-critical (eliminates attack surface with zero performance impact), restrict plugin access to trusted admin IP ranges via WordPress security plugins or web application firewall rules (reduces social engineering targets but creates operational overhead for legitimate remote admins), or deploy Content Security Policy headers with strict script-src directives to prevent inline JavaScript execution (may break plugin functionality requiring testing in staging environment first). For WordPress installations behind reverse proxies or WAFs, configure rules to inspect and sanitize query parameters targeting plugin endpoints, though this requires identifying specific vulnerable parameters through code review. Monitor WordPress access logs for suspicious query strings containing JavaScript event handlers (onclick, onerror, onload) or script tags targeting plugin paths.

Share

CVE-2026-28110 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy