Ajax Load More is a popular WordPress plugin used for implementing infinite scroll, lazy loading, and dynamic content loading via AJAX. It allows developers to build flexible queries and display posts without reloading the page.
During security testing, a Reflected Cross-Site Scripting (XSS) vulnerability was identified in versions prior to 7.8.4. The issue arises from improper handling of user-supplied input via the alm_preview parameter, which is reflected back into the page without proper sanitization.
This vulnerability allows attackers to craft malicious URLs that execute arbitrary JavaScript in the victim’s browser when opened.
| CVE | CVE-2026-6495 |
| Plugin Version | Ajax Load More – Infinite Scroll, Load More, & Lazy Load < 7.8.4 |
| All Time | 2 438 396 |
| Active installations | 40 000+ |
| Publicly Published | January 20, 2026 |
| Last Updated | January 20, 2026 |
| Researcher | Artyom Krugov |
| PoC | Yes |
| Exploit | No |
| Reference | https://www.cve.org/CVERecord?id=CVE-2026-6495 https://wpscan.com/vulnerability/c52f28c5-547d-48ae-89dd-edcdaeadcec5/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Discovery of the Vulnerability
| April 10, 2026 | Plugin testing and vulnerability detection in the Ajax Load More have been completed |
| April 10, 2026 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| April 27, 2026 | Registered CVE-2026-6495 |
The vulnerability was discovered by analyzing how the plugin processes preview-related parameters in HTTP GET requests.
The parameter: alm_preview
accepts user-controlled input and reflects it into the page output. However, the plugin does not properly sanitize or escape this input before rendering it, making it possible to inject HTML or JavaScript.
Understanding Reflected XSS in WordPress and real examples
Reflected XSS occurs when user input is immediately returned (reflected) in the server response without proper sanitization or encoding.
Key characteristics:
- Payload is not stored in the database
- Requires user interaction (e.g., clicking a malicious link)
- Often delivered via:
- phishing emails
- social engineering
- malicious redirects
In WordPress environments, reflected XSS commonly appears in:
- preview parameters
- search queries
- shortcode processing
- GET/POST request handlers
Unlike Stored XSS, reflected XSS depends on tricking a victim into opening a crafted URL.
Exploiting the Missing Auth Vulnerability
To exploit CVE-2026-0554, an attacker with Contributor+ cookies:
POC:
http://your.host.com/wordpress/?alm_preview=%5Bajax_load_more%20id%3D%22%3C/div%3E%3Cimg%20src=x%20onerror=alert(777)%3E#%22%5D____
An attacker sends a phishing email disguised as a “preview link” or “test content link” to a WordPress administrator. Once opened, the malicious payload executes and silently performs administrative actions such as creating a new admin user or injecting persistent backdoors.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2026-6495, administrators should immediately update the Ajax Load More plugin to version 7.8.4 or later. Developers must ensure that all user-supplied input, especially parameters like alm_preview, are properly sanitized and escaped before being rendered in the output. WordPress functions such as sanitize_text_field(), esc_html(), and esc_attr() should be consistently applied to prevent injection of malicious content. Implementing a strict Content Security Policy (CSP) can help reduce the impact of reflected XSS by restricting execution of inline scripts. Administrators should also educate users about phishing risks and avoid opening untrusted links, especially when authenticated in the WordPress admin panel. Additionally, deploying a Web Application Firewall (WAF) and enabling security monitoring can help detect and block malicious requests targeting vulnerable parameters.
By taking proactive measures to address Missing Auth like CVE-2026-6595 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #MissingAuth #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website