CVE-2026-28127
Published: 05 March 2026
Summary
CVE-2026-28127 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 14.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-28127 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the e-plugins Lawyer Directory (lawyer-directory) WordPress plugin. This issue affects Lawyer Directory versions from n/a through 1.3.2.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating it is exploitable over the network with low attack complexity, no required privileges, but necessitating user interaction. Remote attackers can deliver malicious payloads via reflected inputs, achieving limited impacts on confidentiality, integrity, and availability within a changed scope, typically allowing theft of session data or execution of scripts in the victim's browser context.
The Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/lawyer-directory/vulnerability/wordpress-lawyer-directory-plugin-1-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve) documents the XSS vulnerability specific to Lawyer Directory plugin version 1.3.2.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9779
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in e-plugins Lawyer Directory lawyer-directory allows Reflected XSS.This issue affects Lawyer Directory: from n/a through <= 1.3.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing plugin directly enables JS execution (T1059.007) triggered by malicious links (T1204.001), facilitating browser session hijacking (T1185), web session cookie theft (T1539), and web portal input capture (T1056.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and neutralization of untrusted web inputs that cause the reflected XSS in Lawyer Directory plugin versions <=1.3.2.
Requires filtering/sanitization of information outputs before rendering in the browser, blocking execution of attacker-supplied scripts via reflected parameters.
Provides malicious-code detection and blocking mechanisms that can identify and stop reflected XSS payloads delivered through plugin inputs.