Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup UberSlider MouseInteraction uberSlider_mouseinteraction allows Reflected XSS.This issue affects UberSlider MouseInteraction: from n/a through <= 2.3.
Published: 2026-03-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross Site Scripting (XSS)
Action: Patch
AI Analysis

Impact

An improper neutralization of user input in the UberSlider MouseInteraction plugin allows attackers to inject arbitrary JavaScript into web pages that are generated by the plugin. When a victim follows a crafted link or form submission, the injected script runs in the victim’s browser, enabling session hijacking, cookie theft, or drive‑by downloads. The vulnerability is a classic reflected XSS flaw and is identified as CWE‑79.

Affected Systems

WordPress sites that install the UberSlider MouseInteraction plugin from the LambertGroup. All releases from an unspecified earlier version up to and including version 2.3 are affected. No specific lower bound is provided, but any site using any of these versions is vulnerable.

Risk and Exploitability

The CVSS score of 7.1 reflects a moderate to high impact severity. The EPSS score is below 1 %, indicating a low probability of exploitation in the wild, although it is not zero. The vulnerability is not listed in CISA’s KEV catalog, so no known active exploits have been reported. The likely attack vector is web‑based: an attacker can construct a malicious request that returns a page containing the injected script, typically without requiring authentication. Successful exploitation would affect the confidentiality, integrity, or availability of the user session and could allow further attacks.

Generated by OpenCVE AI on April 15, 2026 at 20:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the UberSlider MouseInteraction plugin to version 2.4 or newer, which removes the reflected XSS flaw.
  • If an upgrade is not immediately possible, disable the plugin until a patch is applied to eliminate the entry point for the vulnerability.
  • Apply the latest security updates for WordPress core and other plugins, and review site configurations to limit the exposure of the plugin’s parameters to user input.

Generated by OpenCVE AI on April 15, 2026 at 20:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Lambertgroup
Lambertgroup uberslider Mouseinteraction
Wordpress
Wordpress wordpress
Vendors & Products Lambertgroup
Lambertgroup uberslider Mouseinteraction
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup UberSlider MouseInteraction uberSlider_mouseinteraction allows Reflected XSS.This issue affects UberSlider MouseInteraction: from n/a through <= 2.3.
Title WordPress UberSlider MouseInteraction plugin <= 2.3 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Lambertgroup Uberslider Mouseinteraction
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:42.831Z

Reserved: 2026-02-25T12:13:56.812Z

Link: CVE-2026-28101

cve-icon Vulnrichment

Updated: 2026-03-05T17:10:21.065Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:44.523

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-28101

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:15:13Z

Weaknesses