AllInOne Banner Rotator CVE-2026-28112
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup AllInOne - Banner Rotator all-in-one-bannerRotator allows Reflected XSS.This issue affects AllInOne - Banner Rotator: from n/a through <= 3.8.
AnalysisAI
Reflected cross-site scripting in AllInOne Banner Rotator WordPress plugin allows remote attackers to execute arbitrary JavaScript in victim browsers when users click malicious links. Affects versions up to and including 3.8. EPSS score of 0.04% (10th percentile) indicates low probability of widespread exploitation. No active exploitation confirmed via CISA KEV, though vulnerability discovered and reported by Patchstack security audit team.
Technical ContextAI
This WordPress plugin vulnerability stems from improper neutralization of user-supplied input during web page generation (CWE-79), the classic cross-site scripting weakness. The plugin fails to properly sanitize or encode external input before reflecting it back in HTTP responses, allowing attackers to inject malicious JavaScript payloads. The reflected XSS nature means malicious scripts are not stored server-side but rather delivered via crafted URLs or form submissions that immediately echo back to the victim. WordPress plugins frequently exhibit this vulnerability class when handling GET/POST parameters, search queries, or administrative interface inputs without proper validation and output encoding through WordPress security functions like esc_html(), esc_attr(), or wp_kses().
Affected ProductsAI
WordPress plugin AllInOne Banner Rotator (all-in-one-bannerRotator) maintained by LambertGroup, versions from earliest release through 3.8 inclusive. The vulnerability report indicates the entire version history is affected with no prior secure releases. Vulnerability details available via Patchstack database at https://patchstack.com/database/Wordpress/Plugin/all-in-one-bannerRotator/vulnerability/wordpress-allinone-banner-rotator-plugin-3-8-reflected-cross-site-scripting-xss-vulnerability. No CPE identifier available in provided data. WordPress site administrators can verify installed version via wp-content/plugins/all-in-one-bannerRotator/ directory or WordPress admin Plugins interface.
RemediationAI
Primary remediation: Update to AllInOne Banner Rotator version 3.9 or later if available, verifying via WordPress dashboard or Patchstack advisory. As of analysis time, specific patched version number not independently confirmed from available data sources. Check WordPress.org plugin repository or contact LambertGroup vendor directly for latest secure release. Interim compensating controls if patch unavailable: Disable the AllInOne Banner Rotator plugin entirely via WordPress admin panel if banner rotation functionality is non-critical to site operations (trade-off: loss of banner management features). Implement Web Application Firewall (WAF) rules to detect and block common XSS payloads in HTTP requests targeting plugin endpoints, though this provides incomplete protection against encoding variations. Deploy Content Security Policy (CSP) headers with restrictive script-src directives to prevent inline JavaScript execution, noting this may break legitimate plugin functionality requiring testing. Restrict WordPress admin panel access to trusted IP addresses via .htaccess or firewall rules to reduce attack surface for administrator-targeted XSS (trade-off: reduced remote administration flexibility). Monitor WordPress access logs for suspicious URL patterns containing script tags, JavaScript event handlers, or HTML entity encoding.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today