Attack Vectors

CVE-2026-28110 is a Medium severity (CVSS 6.1) Reflected Cross-Site Scripting (XSS) vulnerability affecting the WordPress plugin LambertGroup – AllInOne – Banner with Playlist (slug: all-in-one-bannerWithPlaylist) in versions up to and including 3.8.

An attacker does not need to be logged in to attempt exploitation. The most common path is a crafted link or request that includes malicious content. The script executes only if the attacker can successfully convince a user to take an action—typically clicking a link or otherwise loading a specially constructed page.

Because this is “reflected” XSS, the injected content is returned in the immediate response rather than being stored long-term in the website. That can make the attack harder to spot in routine content reviews while still being effective in targeted campaigns against executives, finance staff, or compliance teams.

Security Weakness

The underlying issue is described as insufficient input sanitization and output escaping in the plugin. In practical terms, certain user-supplied data can be accepted and then displayed back to the browser without adequate safeguards.

This weakness enables malicious scripts to be included in a request and then executed in a victim’s browser in the context of your site—potentially making the activity appear to originate from a trusted brand property.

There is no known patch available at this time. Given that, organizations should evaluate mitigations aligned to business risk and may choose to uninstall the affected plugin and replace it based on their risk tolerance.

Technical or Business Impacts

For leadership and business stakeholders, the primary risk is that an attacker can leverage your website’s trust to influence users and potentially access or misuse session information. If a targeted employee (for example, a marketing director, CFO, or compliance staff member) clicks a malicious link, the attacker may be able to perform actions within that user’s browser session consistent with the permissions that user already has.

Business impacts can include brand damage (malicious pop-ups or redirects appearing to come from your domain), loss of customer trust, and increased fraud or phishing success when attackers can convincingly use your website as part of a social engineering chain.

Operationally, incident response can require time-consuming investigation, stakeholder communications, and compliance review—especially if the affected site supports lead generation, campaign landing pages, or customer portals where reputation and continuity are critical.

Similar Attacks

Reflected XSS is a common technique used to turn trusted websites into stepping stones for phishing and account compromise. Real-world examples include:

MOVEit Transfer exploitation (CVE-2023-34362) – CISA Alert

Log4j exploitation guidance – CISA

Phishing and social engineering tradecraft – CISA Advisory AA23-347A