The vulnerability CVE-2026-28102 affects LambertGroup UberSlider Classic plugin (versions ≤ 2.5) and involves improper neutralization of input during web page generation, resulting in reflected cross-site scripting (XSS). This allows an attacker to craft malicious input that is reflected in the web page output without proper sanitization, potentially enabling script execution in the victim's browser. The CVSS 3.1 base score is 7.1, indicating a high severity with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and availability.

Successful exploitation of this vulnerability can lead to execution of arbitrary scripts in the context of the victim's browser, potentially allowing theft of sensitive information, session hijacking, or other malicious actions affecting confidentiality, integrity, and availability of the affected system or user data. The reflected nature of the XSS requires user interaction to trigger the malicious payload.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or restricting use of the affected UberSlider Classic plugin versions. Implementing web application firewall (WAF) rules to detect and block reflected XSS attempts may provide temporary mitigation. Avoid clicking on suspicious links that could trigger the reflected XSS.