Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup LambertGroup - AllInOne - Banner with Playlist all-in-one-bannerWithPlaylist allows Reflected XSS.This issue affects LambertGroup - AllInOne - Banner with Playlist: from n/a through <= 3.8.
Published: 2026-03-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation, allowing a reflected XSS flaw. An attacker can inject malicious script into the output page when a user visits a crafted URL. The script runs with the privileges of the victim’s browser session, potentially exfiltrating cookies, hijacking sessions, or defacing the site. The weakness is identified as CWE‑79.

Affected Systems

LambertGroup – AllInOne – Banner with Playlist plugin for WordPress. Versions from the earliest released version up to and including 3.8 are impacted. No later versions were specified, so any installation of the plugin at or below 3.8 satisfies the affected range.

Risk and Exploitability

The CVSS score of 7.1 indicates moderate to high severity, with the low EPSS score of <1% suggesting limited exploitation activity. The vulnerability is not currently in CISA’s KEV catalog. The likely attack vector is web URL manipulation, as the flaw involves reflected input in the URL. Exploitation requires only a crafted link sent to a target user; no privileged access or remote code execution is necessary.

Generated by OpenCVE AI on April 15, 2026 at 22:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AllInOne – Banner with Playlist plugin to a version newer than 3.8, or uninstall it if no update exists.
  • Disable the plugin on sites where banner functionality is not required, which removes the vulnerable code path.
  • Configure a web application firewall or site‑level input sanitization to escape any data originating from the plugin before rendering the page.
  • Apply WordPress best‑practice security guidelines by ensuring all plugin inputs are properly sanitized and escaped according to the WordPress coding standards.

Generated by OpenCVE AI on April 15, 2026 at 22:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Lambertgroup
Lambertgroup lambertgroup - Allinone - Banner With Playlist
Wordpress
Wordpress wordpress
Vendors & Products Lambertgroup
Lambertgroup lambertgroup - Allinone - Banner With Playlist
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup LambertGroup - AllInOne - Banner with Playlist all-in-one-bannerWithPlaylist allows Reflected XSS.This issue affects LambertGroup - AllInOne - Banner with Playlist: from n/a through <= 3.8.
Title WordPress LambertGroup - AllInOne - Banner with Playlist plugin <= 3.8 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Lambertgroup Lambertgroup - Allinone - Banner With Playlist
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:44.334Z

Reserved: 2026-02-25T12:14:02.975Z

Link: CVE-2026-28110

cve-icon Vulnrichment

Updated: 2026-03-05T16:55:23.300Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:45.567

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-28110

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T23:00:10Z

Weaknesses