PatchSiren cyber security CVE debrief
CVE-2026-15295 dcooney CVE debrief
The WordPress Infinite Scroll – Ajax Load More plugin is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 7.0.1. This vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts. The vulnerability has a medium severity with a CVSS score of 4.4 and primarily affects multi-site installations or those with unfiltered_html disabled. Exploitation requires administrator-level access, limiting the attack surface. However, the potential impact on affected sites is significant, as it could lead to unauthorized script execution.
- Vendor
- dcooney
- Product
- Ajax Load More – Infinite Scroll, Load More, & Lazy Load
- CVSS
- MEDIUM 4.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Administrators of WordPress multi-site installations or installations where unfiltered_html has been disabled should assess and mitigate this vulnerability. Site owners, security teams, and administrators with access to plugin settings need to be aware of the potential risks and take appropriate actions to protect their sites. This includes verifying plugin versions, restricting administrator permissions, and monitoring for suspicious activity.
Technical summary
The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 7.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Defensive priority
Medium priority due to the requirement for administrator-level permissions and the limited scope of exploitation. However, given the potential impact, it should be addressed promptly.
Recommended defensive actions
- Verify and update the Infinite Scroll – Ajax Load More plugin to a version beyond 7.0.1 if available.
- Restrict administrator-level permissions to trusted users.
- Monitor for suspicious admin activity and injected scripts.
- Consider disabling unfiltered_html if not required.
- Review and limit administrator access to plugin settings.
- Perform regular security audits and monitoring of site activity.
- Implement additional security measures such as Web Application Firewalls (WAFs) to detect and prevent exploitation attempts.
Evidence notes
Evidence is based on the CVE record and NVD detail provided. Further verification is recommended through official WordPress and plugin sources. The vulnerability affects multi-site installations and installations where unfiltered_html has been disabled. Defenders should verify the plugin version and configuration. Additional review of admin settings and user permissions is necessary.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T20:16:45.733Z and has not been modified since then.