CVE-2025-47630 is a Stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting the Ajax Load More plugin developed by Darren Cooney. This vulnerability arises due to improper neutralization of input during web page generation, allowing malicious scripts to be stored and later executed in the context of users' browsers. Ajax Load More is a WordPress plugin commonly used to dynamically load posts or content via AJAX calls, enhancing user experience by avoiding full page reloads. The vulnerability affects versions up to 7.3.1, though the exact affected versions are not fully enumerated. The CVSS v3.1 base score is 6.5 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L) and user interaction (UI:R), with a scope change (S:C), and low impact on confidentiality, integrity, and availability (C:L/I:L/A:L). The vulnerability allows an attacker with at least some privileges (likely contributor or editor roles) to inject malicious JavaScript payloads that get stored and executed when other users view the affected content. This can lead to session hijacking, privilege escalation, or distribution of malware. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on May 7, 2025, and is tracked by Patchstack and CISA enrichment. Given the nature of stored XSS, the threat is significant in environments where multiple users interact with content loaded via Ajax Load More, especially in administrative or editorial contexts.

For European organizations, especially those operating WordPress-based websites with the Ajax Load More plugin, this vulnerability poses a risk of client-side compromise. Attackers could exploit this flaw to execute arbitrary scripts in the browsers of site visitors or administrators, potentially leading to theft of authentication tokens, defacement, or distribution of malicious payloads. This can damage brand reputation, lead to data breaches, and violate GDPR requirements concerning data protection and breach notification. Organizations in sectors such as e-commerce, media, government, and education that rely on dynamic content loading are particularly vulnerable. The scope change in the CVSS vector indicates that exploitation could affect resources beyond the initially vulnerable component, amplifying potential damage. Since exploitation requires some level of privileges and user interaction, insider threats or compromised accounts increase risk. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate it, as attackers may develop exploits once the vulnerability is public.

European organizations should immediately audit their WordPress installations to identify the presence and version of the Ajax Load More plugin. Until an official patch is released, mitigation can include: 1) Restricting plugin usage to trusted users with minimal privileges to reduce the likelihood of malicious input; 2) Implementing strict input validation and output encoding on all user-generated content, especially content loaded via Ajax Load More; 3) Employing Web Application Firewalls (WAFs) with custom rules to detect and block typical XSS payloads targeting this plugin; 4) Monitoring logs for suspicious activity related to content submission and AJAX requests; 5) Educating content editors and administrators about the risks of executing untrusted scripts; 6) Considering temporary deactivation of the plugin if feasible until a patch is available; 7) Keeping WordPress core and all plugins updated to minimize exposure to other vulnerabilities; 8) Implement Content Security Policy (CSP) headers to restrict script execution sources, mitigating impact of XSS attacks.