Description
The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-button-label HTML attribute in all versions up to, and including, 7.4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-17
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS)
Action: Apply Patch
AI Analysis

Impact

The vulnerability lies in an inadequate sanitization and escaping routine for the data-button-label attribute in the Ajax Load More plugin. An authenticated user with Contributor-level privilege or higher can insert arbitrary HTML or JavaScript code that the plugin stores and later renders on pages that use the infinite‑scroll feature. When another user views the affected page, the injected script executes in that user's browser context, allowing the attacker to steal session cookies, deface content, or redirect users to malicious sites. The vulnerability directly compromises a site’s confidentiality and integrity for all visitors to the affected pages.

Affected Systems

WordPress sites that have installed the Ajax Load More – Infinite Scroll plugin from dcooney, in any revision up to and including version 7.4.0.1.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity, while an EPSS score of less than 1 % suggests that the likelihood of exploitation in the wild is currently low. The vulnerability is not listed in the CISA KEV catalog. Attackers are required to authenticate with at least Contributor privileges within the affected WordPress installation to inject a payload, thus limiting the threat to sites with unauthorized or compromised contributor accounts. Once injected, however, the stored XSS executes automatically for any site visitor, making the impact far‑reaching for each load on populated page.

Generated by OpenCVE AI on April 21, 2026 at 20:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ajax Load More plugin to a version newer than 7.4.0.1.
  • If an upgrade is temporarily infeasible, strip or encode the data-button-label attribute before rendering it, ensuring that any stored value is escaped as plain text.
  • Immediately remove or purge any pages or posts that have been compromised by malicious data-button-label entries to eliminate the existing stored payloads.
  • Consider revoking Contributor privileges for accounts that are no longer needed to reduce the attack surface.

Generated by OpenCVE AI on April 21, 2026 at 20:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18448 The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-button-label HTML attribute in all versions up to, and including, 7.4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Tue, 17 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Jun 2025 02:00:00 +0000

Type Values Removed Values Added
Description The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the data-button-label HTML attribute in all versions up to, and including, 7.4.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title WordPress Infinite Scroll – Ajax Load More <= 7.4.0.1 - Authenticated(Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:56:48.200Z

Reserved: 2025-05-15T13:49:53.891Z

Link: CVE-2025-4775

cve-icon Vulnrichment

Updated: 2025-06-17T13:41:05.404Z

cve-icon NVD

Status : Deferred

Published: 2025-06-17T02:15:19.867

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4775

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:15:44Z

Weaknesses