Atomic Edge analysis of CVE-2026-8141 (metadata-based): A stored cross-site scripting (XSS) vulnerability exists in the Ajax Load More – Filters plugin for WordPress, affecting all versions up to and including 3.4.1. The flaw resides in insufficient input sanitization and output escaping on the ‘taxonomy_include_children’ parameter, allowing unauthenticated attackers to inject arbitrary web scripts. With a CVSS score of 7.2, this is a high-severity issue due to the low complexity and network attack vector.
The root cause is improper neutralization of user-supplied input during page generation (CWE-79). Based on the description and WordPress plugin conventions, the ‘taxonomy_include_children’ parameter is likely processed in an AJAX handler or shortcode callback that saves filter configuration settings in the database or directly outputs them. Without a code diff, specific hooks cannot be confirmed, but Atomic Edge research infers that the plugin fails to apply functions like ‘sanitize_text_field’ on input and ‘esc_attr’ or ‘esc_html’ during output, allowing stored scripts to execute when administrators or site visitors view affected pages.
An unauthenticated attacker can exploit this by sending a crafted AJAX request to ‘/wp-admin/admin-ajax.php’ with the action parameter set to the plugin’s filter save handler, such as ‘ajax_load_more_filters_save_filter’. The ‘taxonomy_include_children’ parameter should contain an XSS payload like ‘”>alert(1)’. Since no nonce or capability check is required, the malicious script is stored and executed when the filter configuration page or any page displaying the filter is accessed.
Remediation (inferred from CWE) requires implementing input sanitization on the ‘taxonomy_include_children’ parameter using WordPress functions like ‘sanitize_text_field’ or ‘wp_kses’ to strip malicious code, and output escaping with ‘esc_attr’ or ‘esc_html’ when rendering. A patched version (3.4.2) likely applies these measures, and users must update immediately.
If exploited, this vulnerability allows attackers to execute arbitrary JavaScript in the context of any user viewing the affected page. This can lead to session hijacking, theft of sensitive cookies, phishing credential redirection, or further malware injection such as keylogging or cryptocurrency mining. Administrative users are especially at risk, as an injected script can create backdoor admin accounts or perform actions via forged requests.







