CVE-2026-6495 Ajax Load More CVE debrief

Who should care

WordPress site administrators using Ajax Load More plugin; security teams managing WordPress deployments; developers maintaining custom integrations with Ajax Load More; compliance officers tracking CVE coverage for web application security

Technical summary

The Ajax Load More plugin for WordPress versions prior to 7.8.4 contains a reflected XSS vulnerability stemming from insufficient input sanitization. An attacker can craft a malicious request containing a payload in a vulnerable parameter; when a high-privilege user (such as an administrator) accesses the crafted URL, the unsanitized parameter value executes in the browser context. This enables session hijacking, credential theft, or administrative action under the victim's identity. The attack requires user interaction (UI:R) and network access (AV:N) but no authentication (PR:N). The vulnerability is classified under CWE-79 and scored CVSS 3.1 7.1 (HIGH).

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Ajax Load More WordPress plugin to version 7.8.4 or later
• Implement Content Security Policy (CSP) headers to mitigate XSS impact
• Review and sanitize all user-supplied parameters in plugin integrations
• Enable WordPress automatic updates for security patches
• Conduct security review of admin-facing plugin functionality

Evidence notes

Vulnerability confirmed via WPScan advisory. NVD status currently Deferred. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. CWE-79 (Improper Neutralization of Input During Web Page Generation) identified as root cause.

Official resources