Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup AllInOne - Banner Rotator all-in-one-bannerRotator allows Reflected XSS.This issue affects AllInOne - Banner Rotator: from n/a through <= 3.8.
Published: 2026-03-05
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting allowing arbitrary client‑side code execution
Action: Update Plugin
AI Analysis

Impact

The AllInOne – Banner Rotator plugin contains a reflected XSS flaw that fails to sanitize user input before rendering it in the web page. An attacker can supply malicious code via a request parameter, which the plugin echoes back into the page, enabling the execution of arbitrary JavaScript in the victim’s browser. This can lead to session hijacking, defacement, or credential theft.

Affected Systems

All releases of the plugin distributed by LambertGroup, named AllInOne – Banner Rotator, up to and including version 3.8 are affected. Any WordPress website that has installed the plugin version 3.8 or earlier is vulnerable.

Risk and Exploitability

The flaw is rated as high severity and can be exploited by simply embedding a crafted link that directs a user through the vulnerable plugin. No special privileges are required, making the attack path straightforward for anyone able to influence user traffic. The estimated likelihood of exploitation is low, but the risk remains because of the potential impact on user sessions and the absence of publicly disclosed exploits. This vulnerability is not currently listed in the known exploited vulnerability catalog.

Generated by OpenCVE AI on April 16, 2026 at 04:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AllInOne – Banner Rotator plugin to the latest release (3.9 or newer) that contains the XSS fix.
  • If an immediate upgrade is not possible, temporarily disable the plugin or remove banner functionality to eliminate vulnerable code paths.
  • After updating or disabling the plugin, review site content and logs for injected scripts and clean any that may have been added prior to the patch.

Generated by OpenCVE AI on April 16, 2026 at 04:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Lambertgroup
Lambertgroup allinone - Banner Rotator
Wordpress
Wordpress wordpress
Vendors & Products Lambertgroup
Lambertgroup allinone - Banner Rotator
Wordpress
Wordpress wordpress

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup AllInOne - Banner Rotator all-in-one-bannerRotator allows Reflected XSS.This issue affects AllInOne - Banner Rotator: from n/a through <= 3.8.
Title WordPress AllInOne - Banner Rotator plugin <= 3.8 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Lambertgroup Allinone - Banner Rotator
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:15:45.552Z

Reserved: 2026-02-25T12:14:02.975Z

Link: CVE-2026-28112

cve-icon Vulnrichment

Updated: 2026-03-05T16:00:36.096Z

cve-icon NVD

Status : Deferred

Published: 2026-03-05T06:16:45.693

Modified: 2026-04-22T21:27:27.950

Link: CVE-2026-28112

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T05:00:09Z

Weaknesses