CVE-2026-6495
Reflected Cross-Site Scripting in Ajax Load More WordPress Plugin
Publication date: 2026-05-18
Last updated on: 2026-05-18
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ajax_load_more | ajax_load_more | to 7.8.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a reflected Cross-Site Scripting (XSS) issue that could be exploited against high privilege users such as administrators. Such vulnerabilities can lead to unauthorized access or actions within the affected system.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, reflected XSS vulnerabilities can potentially lead to data breaches or unauthorized data access, which may impact compliance with these regulations.
Organizations using the affected plugin should consider this vulnerability as a risk to the confidentiality and integrity of their systems and data, which are key aspects of compliance frameworks.
Can you explain this vulnerability to me?
The Ajax Load More WordPress plugin versions prior to 7.8.4 have a reflected Cross-Site Scripting (XSS) vulnerability. This occurs because the plugin does not properly sanitize and escape a parameter before outputting it back on the page. As a result, an attacker can inject malicious scripts that are reflected to users when they load the page.
This vulnerability specifically threatens high privilege users such as administrators, potentially allowing attackers to execute arbitrary scripts in their browsers.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to perform reflected Cross-Site Scripting attacks against high privilege users like admins. Such attacks can lead to the theft of sensitive information, session hijacking, or unauthorized actions performed with the privileges of the targeted user.
Because the vulnerability has a CVSS score of 7.1, it is considered high severity, indicating significant risk if exploited.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the Ajax Load More WordPress plugin to version 7.8.4 or later, as versions prior to 7.8.4 are vulnerable to reflected Cross-Site Scripting attacks.
Since the vulnerability targets high privilege users such as administrators, it is also advisable to limit access to the plugin and monitor for suspicious activity until the update is applied.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is a reflected Cross-Site Scripting (XSS) issue in the Ajax Load More WordPress plugin versions prior to 7.8.4. Detection typically involves testing the plugin's parameters for improper sanitization and escaping by injecting XSS payloads and observing if they are reflected in the page output.
Since the vulnerability involves reflected input in web pages, detection can be performed by sending crafted HTTP requests to the affected plugin endpoints and checking the response for reflected script code.
Example commands using curl to test for reflected XSS might include:
- curl -i -s -k -X GET 'http://targetsite.com/?parameter=<script>alert(1)</script>'
- Observe the HTTP response body for the presence of the injected script tag without proper escaping.
Additionally, web vulnerability scanners that test for reflected XSS can be used against the site to automate detection.