Back

Critical XSS Vulnerability in Ajax Load More Plugin Affects WordPress Administrators

Severity: High (Score: 64.5)

Sources: infosec.exchange, Feedly, www.incibe.es, cve.akaoma.com

Published: 2026-05-19 · Updated: 2026-05-19

Keywords: cve-2026-6495, before, ajax, load, wordpress, plugin, escape

Severity indicators: vulnerabilities, ot, CVE:CVE-2026-6495, CVE:CVE-2026-6495, CVE:CVE-2026-6495

Summary

A reflected cross-site scripting (XSS) vulnerability, identified as CVE-2026-6495, affects the Ajax Load More WordPress plugin prior to version 7.8.4. This flaw allows unauthenticated attackers to craft malicious URLs that execute JavaScript in the context of high-privilege users, such as administrators. The vulnerability has a CVSS score of 7.1, indicating a high severity level. Currently, there is no public proof-of-concept or evidence of exploitation. Users are advised to upgrade to version 7.8.4 or later to mitigate the risk. Temporary measures include restricting access to the plugin or disabling it until patched. The vulnerability was first published on May 18, 2026, and has been reported by multiple cybersecurity sources. Key Points: • CVE-2026-6495 is a reflected XSS vulnerability in the Ajax Load More plugin for WordPress. • The flaw allows attackers to execute JavaScript in the browser of high-privilege users. • Users must upgrade to version 7.8.4 or later to mitigate the risk of exploitation.

Detailed Analysis

**Impact** WordPress administrators using the Ajax Load More plugin versions prior to 7.8.4 are affected by this vulnerability. The flaw allows attackers to execute arbitrary JavaScript in the context of an administrator’s browser, potentially leading to unauthorized actions and impersonation. The vulnerability impacts websites globally that rely on this plugin, with no specific sector or geographic data provided. Data confidentiality, integrity, and availability may be compromised at a low level. **Technical Details** The vulnerability (CVE-2026-6495) is a Reflected Cross-Site Scripting (XSS) flaw caused by improper sanitization and escaping of a parameter before outputting it back on the page. The attack vector is network-based with low complexity and requires no privileges but does require user interaction (clicking a malicious URL). The kill chain stage is initial access through social engineering or phishing. No malware or specific tools are mentioned, and no indicators of compromise (IOCs) have been reported. **Recommended Response** Immediately upgrade the Ajax Load More WordPress plugin to version 7.8.4 or later. As a temporary mitigation, restrict access to the plugin’s vulnerable functionality or disable the plugin until patched. Educate administrators and high-privilege users to avoid clicking untrusted links. Monitor for suspicious URL access patterns and potential exploitation attempts, as no public proof-of-concept or exploitation evidence currently exists.

Source articles (4)

  • CVE-2026-6495 AKAOMA CVE VULNERABILITIES / 16h The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin — cve.akaoma.com · 2026-05-19
    7.1 /10 Very High Risk Highly exploitable, CVE-2026-6495 poses a critical security risk that could lead to severe breaches. Highly exploitable, CVE-2026-6495 poses a critical security risk that could…
  • #WordPress / 14h ⚠️ HIGH severity: Reflected XSS in Ajax Load More https:// radar.offseq.com/threat/cve-20 26-6495-cwe-79-cross-site-scripting-xss-in-a-662ee7d0 # OffSeq # WordPress # XSS — infosec.exchange · 2026-05-19
  • CVE-2026-6495 INCIBE-CERT - Vulnerabilities RSS / 13h CVE-2026-6495 Título es CVE-2026-6495 Lun, 18/05/2026 - 07:16 Gravedad 2.0 Txt Pendiente de análisis Título en CVE-2026-6495 Descripción en The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin 18/05/2026 18/05/2026 Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Sco — www.incibe.es · 2026-05-19
    Vector de acceso (AV): A través de red Complejidad de acceso (AC): Bajo Privilegios Requeridos (PR): Ninguno Interacción del usuario (UI): Obligatorio Alcance (S): Modificado Impacto a la confidencial…
  • CVE-2026-6495 - Exploits & Severity — Feedly · 2026-05-18
    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79) The Ajax Load More WordPress plugin before version 7.8.4 does not properly sanitize and escape a parameter…

Timeline

  • 2026-05-18 — CVE-2026-6495 published: The vulnerability affecting the Ajax Load More WordPress plugin was officially published, detailing its XSS nature.
  • 2026-05-19 — Vulnerability reported by INCIBE-CERT: INCIBE-CERT confirmed the details of CVE-2026-6495, emphasizing its impact on high-privilege users.
  • 2026-05-19 — CVE-2026-6495 detailed by AKAOMA: AKAOMA highlighted the critical risk posed by CVE-2026-6495, urging immediate action for affected users.

CVEs

  • CVE-2026-6495

Related entities

  • XSS (Vulnerability)
  • Reflected Cross-Site Scripting (Vulnerability)
  • Cwe-79 - Cross-site Scripting (xss) (Cwe)
  • T1059 - Command and Scripting Interpreter (Mitre Attack)
  • WordPress (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed