Atomic Edge analysis of CVE-2026-28112 (metadata-based):
The vulnerability is a reflected cross-site scripting (XSS) flaw in the AllInOne – Banner Rotator WordPress plugin, version 3.8 and earlier. The root cause is insufficient input sanitization and output escaping on user-supplied input, as defined by CWE-79. The vulnerability description states exploitation occurs when an attacker tricks a user into clicking a link. This indicates the attack vector is a GET request parameter that is reflected in the server’s HTTP response without proper escaping. The plugin likely echoes a user-controlled parameter from the URL query string or a form field directly into the page HTML or JavaScript context. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) confirms the attack is network-based, requires low attack complexity, no privileges, user interaction, and has scope change with low confidentiality and integrity impact. The lack of a patched version suggests the plugin may be abandoned. Atomic Edge research infers the vulnerable endpoint is likely a public-facing administrative page or an AJAX handler lacking proper capability checks, where a parameter like ‘id’, ‘banner’, or ‘settings’ is unsanitized. The fix would require implementing proper input validation using `sanitize_text_field()` or output escaping with `esc_html()`, `esc_js()`, or `wp_kses()`. Successful exploitation allows an unauthenticated attacker to execute arbitrary JavaScript in the victim’s browser session, potentially leading to session hijacking, admin redirection, or malicious actions performed on behalf of the user.