Cyber Resilience

CVE-2026-28110

High

Published: 05 March 2026

Published
05 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0004 14.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28110 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-28110 is an improper neutralization of input during web page generation vulnerability, specifically a reflected cross-site scripting (XSS) issue classified under CWE-79, affecting the LambertGroup AllInOne Banner with Playlist WordPress plugin (all-in-one-bannerWithPlaylist). This flaw impacts all versions from n/a through 3.8 inclusive. The vulnerability was published on 2026-03-05 and carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L).

An unauthenticated attacker with network access can exploit this reflected XSS with low attack complexity by tricking a user into clicking a maliciously crafted URL that injects and reflects executable JavaScript on the page. Upon successful exploitation, the attacker achieves changed scope with low impacts on confidentiality, integrity, and availability, typically enabling theft of user session data, cookies, or other client-side information within the victim's browser context.

The Patchstack advisory provides details on this WordPress plugin vulnerability, including assessment and potential mitigation guidance, accessible at https://patchstack.com/database/Wordpress/Plugin/all-in-one-bannerWithPlaylist/vulnerability/wordpress-lambertgroup-allinone-banner-with-playlist-plugin-3-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LambertGroup LambertGroup - AllInOne - Banner with Playlist all-in-one-bannerWithPlaylist allows Reflected XSS.This issue affects LambertGroup - AllInOne - Banner with Playlist: from n/a through <= 3.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

Reflected XSS enables browser session hijacking and web session cookie theft via injected JavaScript; attack delivery typically uses spearphishing links containing the malicious URL.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-23593Shared CWE-79
CVE-2025-22760Shared CWE-79
CVE-2026-24973Shared CWE-79
CVE-2026-22256Shared CWE-79
CVE-2025-23462Shared CWE-79
CVE-2026-25461Shared CWE-79
CVE-2025-23524Shared CWE-79
CVE-2026-32277Shared CWE-79
CVE-2026-35035Shared CWE-79
CVE-2025-23753Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires protection of public-facing web applications against reflected XSS attacks via input neutralization failures.

prevent

Mandates validation and sanitization of all untrusted input before web page generation, blocking the reflected XSS payload at its source.

prevent

Requires filtering/encoding of information output to browsers, preventing execution of attacker-supplied scripts in reflected XSS responses.

References