Skip to main content

AllInOne Banner Rotator CVE-2026-28112

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-05 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 23, 2026 - 00:14 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 22, 2026 - 21:37 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 05, 2026 - 06:16 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup AllInOne - Banner Rotator all-in-one-bannerRotator allows Reflected XSS.This issue affects AllInOne - Banner Rotator: from n/a through <= 3.8.

AnalysisAI

Reflected cross-site scripting in AllInOne Banner Rotator WordPress plugin allows remote attackers to execute arbitrary JavaScript in victim browsers when users click malicious links. Affects versions up to and including 3.8. EPSS score of 0.04% (10th percentile) indicates low probability of widespread exploitation. No active exploitation confirmed via CISA KEV, though vulnerability discovered and reported by Patchstack security audit team.

Technical ContextAI

This WordPress plugin vulnerability stems from improper neutralization of user-supplied input during web page generation (CWE-79), the classic cross-site scripting weakness. The plugin fails to properly sanitize or encode external input before reflecting it back in HTTP responses, allowing attackers to inject malicious JavaScript payloads. The reflected XSS nature means malicious scripts are not stored server-side but rather delivered via crafted URLs or form submissions that immediately echo back to the victim. WordPress plugins frequently exhibit this vulnerability class when handling GET/POST parameters, search queries, or administrative interface inputs without proper validation and output encoding through WordPress security functions like esc_html(), esc_attr(), or wp_kses().

Affected ProductsAI

WordPress plugin AllInOne Banner Rotator (all-in-one-bannerRotator) maintained by LambertGroup, versions from earliest release through 3.8 inclusive. The vulnerability report indicates the entire version history is affected with no prior secure releases. Vulnerability details available via Patchstack database at https://patchstack.com/database/Wordpress/Plugin/all-in-one-bannerRotator/vulnerability/wordpress-allinone-banner-rotator-plugin-3-8-reflected-cross-site-scripting-xss-vulnerability. No CPE identifier available in provided data. WordPress site administrators can verify installed version via wp-content/plugins/all-in-one-bannerRotator/ directory or WordPress admin Plugins interface.

RemediationAI

Primary remediation: Update to AllInOne Banner Rotator version 3.9 or later if available, verifying via WordPress dashboard or Patchstack advisory. As of analysis time, specific patched version number not independently confirmed from available data sources. Check WordPress.org plugin repository or contact LambertGroup vendor directly for latest secure release. Interim compensating controls if patch unavailable: Disable the AllInOne Banner Rotator plugin entirely via WordPress admin panel if banner rotation functionality is non-critical to site operations (trade-off: loss of banner management features). Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads in HTTP requests targeting plugin endpoints, though this provides incomplete protection against encoding variations. Deploy Content Security Policy (CSP) headers with restrictive script-src directives to prevent inline JavaScript execution, noting this may break legitimate plugin functionality requiring testing. Restrict WordPress admin panel access to trusted IP addresses via .htaccess or firewall rules to reduce attack surface for administrator-targeted XSS (trade-off: reduced remote administration flexibility). Monitor WordPress access logs for suspicious URL patterns containing script tags, JavaScript event handlers, or HTML entity encoding.

Share

CVE-2026-28112 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy