Atomic Edge analysis of CVE-2026-28108 (metadata-based):
This vulnerability is a reflected cross-site scripting (XSS) flaw in the LambertGroup AllInOne Banner with Thumbnails WordPress plugin. The CWE-79 classification confirms improper neutralization of input during web page generation. The description states insufficient input sanitization and output escaping in versions up to 3.8. Unauthenticated attackers can inject arbitrary web scripts by tricking users into clicking malicious links. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates network accessibility, low attack complexity, no privileges required, user interaction needed, scope change, and low confidentiality/integrity impact. Atomic Edge research infers the vulnerability likely exists in a public-facing plugin endpoint that echoes user-supplied parameters without proper escaping. Common WordPress patterns suggest this could be an AJAX handler, shortcode attribute, or direct PHP file parameter. The plugin slug ‘all-in-one-thumbnailsBanner’ suggests potential AJAX actions like ‘all_in_one_thumbnailsBanner_action’ or shortcode parameters like ‘banner_id’. The fix would require implementing proper output escaping functions like esc_html() or esc_attr() and input validation using sanitize_text_field(). Exploitation leads to arbitrary JavaScript execution in the victim’s browser session, potentially allowing session hijacking, content modification, or malicious redirects.