Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup LambertGroup - AllInOne - Banner with Thumbnails all-in-one-thumbnailsBanner allows Reflected XSS.This issue affects LambertGroup - AllInOne - Banner with Thumbnails: from n/a through <= 3.8.
Published: 2026-03-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected cross‑site scripting that can enable client‑side code execution in a victim's browser
Action: Patch Plugin
AI Analysis

Impact

An input value that is reflected in a web page is not correctly escaped, enabling malicious scripts to run in a victim’s browser. Such reflected XSS can lead to the execution of arbitrary JavaScript, facilitating cookie theft, session hijacking, or redirection to phishing sites. The weakness is a classic input validation flaw (CWE‑79) and is rated medium‑high severity (CVSS 7.1).

Affected Systems

The vulnerability affects the WordPress plugin LambertGroup – AllInOne – Banner with Thumbnails version 3.8 and earlier, which is distributed by LambertGroup. No further version qualifiers are specified beyond the <=3.8 range.

Risk and Exploitability

The low EPSS (<1%) indicates a small but non‑zero likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. An attacker would most likely craft a malicious URL or form input that triggers the unescaped output, requiring that a user visits or interacts with the affected page. If successful, the attacker can run scripts in the user’s browser context, potentially compromising credentials or performing phishing actions.

Generated by OpenCVE AI on April 15, 2026 at 19:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the plugin to a version newer than 3.8 or uninstall it if no fix is available
  • If no immediate update is available, block or filter the vulnerable parameters using a web application firewall or input sanitization rules
  • Configure user‑agent or activity monitoring to detect unexpected script execution or cookie theft events

Generated by OpenCVE AI on April 15, 2026 at 19:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Lambertgroup
Lambertgroup lambertgroup - Allinone - Banner With Thumbnails
Wordpress
Wordpress wordpress
Vendors & Products Lambertgroup
Lambertgroup lambertgroup - Allinone - Banner With Thumbnails
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup LambertGroup - AllInOne - Banner with Thumbnails all-in-one-thumbnailsBanner allows Reflected XSS.This issue affects LambertGroup - AllInOne - Banner with Thumbnails: from n/a through <= 3.8.
Title WordPress LambertGroup - AllInOne - Banner with Thumbnails plugin <= 3.8 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Lambertgroup Lambertgroup - Allinone - Banner With Thumbnails
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:43.970Z

Reserved: 2026-02-25T12:14:02.975Z

Link: CVE-2026-28108

cve-icon Vulnrichment

Updated: 2026-03-05T17:00:47.076Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:45.307

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-28108

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:00:06Z

Weaknesses