CVE-2025-4775 identifies a stored cross-site scripting vulnerability in the WordPress Infinite Scroll – Ajax Load More plugin developed by dcooney. The vulnerability exists due to improper neutralization of input during web page generation, specifically in the handling of the data-button-label HTML attribute. All plugin versions up to and including 7.4.0.1 fail to sufficiently sanitize and escape this attribute, allowing authenticated users with Contributor-level or higher privileges to inject arbitrary JavaScript code. When other users access pages containing the injected payload, the malicious scripts execute in their browsers. This can lead to a range of attacks including session hijacking, privilege escalation, defacement, or distribution of malware. The vulnerability requires authentication but no user interaction beyond visiting the infected page. The CVSS 3.1 score of 6.4 reflects a medium severity with network attack vector, low attack complexity, and partial confidentiality and integrity impact but no availability impact. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability affects a widely used WordPress plugin, increasing the risk to websites that rely on this functionality for infinite scrolling and AJAX content loading.

The impact of CVE-2025-4775 is significant for organizations using the affected WordPress Infinite Scroll – Ajax Load More plugin, especially those with multiple contributors or editors. Exploitation allows an authenticated contributor to inject persistent malicious scripts that execute in the browsers of any user visiting the compromised pages. This can lead to theft of session cookies, unauthorized actions performed on behalf of users, defacement of website content, or distribution of malware. The vulnerability undermines the integrity and confidentiality of the website and its users. While availability is not directly impacted, the reputational damage and potential data breaches can be severe. Organizations with public-facing WordPress sites that allow contributor-level access are particularly vulnerable. The medium CVSS score indicates moderate risk, but the scope of affected sites could be large given the plugin’s popularity. Attackers could leverage this vulnerability to pivot into further attacks within the organization’s network or to target site visitors.

To mitigate CVE-2025-4775, organizations should take the following specific actions: 1) Immediately review and restrict Contributor-level and higher privileges to trusted users only, minimizing the attack surface. 2) Monitor and audit content changes, especially those involving the data-button-label attribute or similar HTML attributes, to detect suspicious input. 3) Apply strict input validation and output encoding on all user-supplied data within the plugin’s context, potentially by customizing or patching the plugin code if official updates are not yet available. 4) Employ a Web Application Firewall (WAF) with rules targeting stored XSS patterns in WordPress plugins to block malicious payloads. 5) Educate content contributors about the risks of injecting untrusted content and enforce secure content creation policies. 6) Regularly update WordPress core and plugins, and subscribe to security advisories from the plugin vendor and WordPress security teams for forthcoming patches. 7) Consider temporarily disabling the Infinite Scroll – Ajax Load More plugin if the risk is unacceptable and no patch is available. These measures go beyond generic advice by focusing on privilege management, monitoring, and proactive content validation tailored to this vulnerability.