CVE-2015-10140
📋 TL;DR
The Ajax Load More WordPress plugin before version 2.8.1.2 lacks proper authorization checks in certain AJAX endpoints, allowing any authenticated user (including low-privilege subscribers) to upload and delete arbitrary files on the server. This affects all WordPress sites running vulnerable versions of the plugin.
💻 Affected Systems
- WordPress Ajax Load More plugin
📦 What is this software?
Ajax Load More by Connekthq
⚠️ Risk & Real-World Impact
Worst Case
An attacker could upload malicious PHP files to achieve remote code execution, delete critical system files causing service disruption, or deface the website by replacing content files.
Likely Case
Subscriber-level users could upload malicious files to gain elevated privileges, delete content, or disrupt website functionality.
If Mitigated
With proper file permission restrictions and web application firewalls, impact could be limited to file operations within the web directory only.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once credentials are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.8.1.2
Vendor Advisory: https://wpscan.com/vulnerability/9f0c926e-0609-4c89-a724-88e16bcfa82a
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Ajax Load More plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.8.1.2+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoints
allRemove or restrict access to the vulnerable AJAX actions via .htaccess or web server configuration
# Add to .htaccess or virtual host config
RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php$
RewriteCond %{QUERY_STRING} action=(alm_delete_file|alm_upload_file)
RewriteRule ^ - [F]
Temporary plugin deactivation
linuxDisable the Ajax Load More plugin until patched
wp plugin deactivate ajax-load-more
🧯 If You Can't Patch
- Implement strict file upload restrictions at web server level
- Apply principle of least privilege to all user accounts and monitor for suspicious file operations
🔍 How to Verify
Check if Vulnerable:
Check WordPress plugin version via admin panel or inspect plugin files for version number in ajax-load-more.php headerCheck Version:
wp plugin get ajax-load-more --field=versionVerify Fix Applied:
Confirm plugin version is 2.8.1.2 or higher and test that subscriber accounts cannot access file upload/delete functions📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=alm_upload_file or action=alm_delete_file from non-admin users
- File uploads to unexpected directories
- File deletion events in uploads folder
Network Indicators:
- Unusual file upload patterns from authenticated users
- Multiple file operations from single user session
SIEM Query:
source="web_access_logs" AND uri="/wp-admin/admin-ajax.php" AND (query="*action=alm_upload_file*" OR query="*action=alm_delete_file*") AND user_agent!="*admin*"