Skip to main content

Ajax Load More Filters CVE-2026-8141

| EUVDEUVD-2026-40274 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-30 Wordfence GHSA-29c9-xrhx-266f
7.2
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
7.2 HIGH

Network-reachable unauthenticated stored XSS (AV:N/AC:L/PR:N) with changed scope since script runs in other users' sessions; Low C/I and no availability impact match browser-context compromise.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 30, 2026 - 10:20 vuln.today
CVE Published
Jun 30, 2026 - 09:31 cve.org
HIGH 7.2

DescriptionCVE.org

The Ajax Load More - Filters plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'taxonomy_include_children' parameter in all versions up to, and including, 3.4.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored cross-site scripting in the Ajax Load More - Filters WordPress plugin (all versions through 3.4.1) lets unauthenticated attackers persist arbitrary JavaScript via the 'taxonomy_include_children' parameter, which then executes in the browser of any user who loads an affected page. Wordfence rates it CVSS 7.2 with a changed scope, reflecting that injected script runs in the context of other site visitors and administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running vulnerable plugin
Delivery
Send request with script in taxonomy_include_children
Exploit
Payload stored unsanitized
Execution
Victim loads injected page
Persist
Script executes in victim browser
Impact
Steal session or perform admin actions

Vulnerability AssessmentAI

Exploitation The target site must be running the Ajax Load More - Filters plugin at version 3.4.1 or earlier with filter functionality that processes the 'taxonomy_include_children' parameter. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS vector (AV:N/AC:L/PR:N/UI:N/S:C, C:L/I:L/A:N, score 7.2) indicates a network-reachable, low-complexity, unauthenticated stored XSS with a scope change - a genuinely meaningful issue for any internet-facing WordPress site running this add-on. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a crafted request that places a malicious value (for example an HTML/script payload) into the 'taxonomy_include_children' parameter, which the plugin stores and later renders unescaped on a filter-driven page. When a site administrator or visitor subsequently loads that page, the script executes in their browser session, enabling session/cookie theft, admin-action forgery, or redirection. …
Remediation No vendor-released patch version is identified in the available data; affected versions are stated as all releases up to and including 3.4.1, so administrators should monitor https://ajaxloadmore.com/add-ons/filters/ and the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/6e8d9f73-8460-4bcb-a9f8-08eb058bcc09?source=cve) for a fixed release (expected to be the next version above 3.4.1) and upgrade immediately once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress installations using Ajax Load More - Filters plugin and disable it immediately. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-8141 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy