CVE-2024-4711
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level permissions or higher to inject malicious JavaScript into pages using the Infinite Scroll plugin's shortcode. The injected scripts execute whenever other users view the compromised pages, enabling session hijacking, defacement, or malware distribution. All WordPress sites using vulnerable versions of the Ajax Load More plugin are affected.
💻 Affected Systems
- WordPress Infinite Scroll – Ajax Load More plugin
📦 What is this software?
Ajax Load More by Connekthq
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access, steal sensitive data, install backdoors, or redirect users to malicious sites, potentially compromising the entire WordPress installation and user data.
Likely Case
Attackers deface pages, inject ads or cryptocurrency miners, steal session cookies to hijack user accounts, or redirect users to phishing pages.
If Mitigated
With proper user role management and content review, impact is limited to minor defacement or script injection that can be quickly cleaned.
🎯 Exploit Status
Exploitation requires contributor-level access but is straightforward once authenticated. Public proof-of-concept code exists in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.1.2
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Ajax Load More' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 7.1.2+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate ajax-load-more
Restrict user roles
linuxRemove contributor permissions from untrusted users
wp user list --role=contributor --field=ID | xargs wp user set-role subscriber
🧯 If You Can't Patch
- Implement strict content review process for all posts/pages created by contributors
- Install web application firewall with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 7.1.1 or lower, you are vulnerable.Check Version:
wp plugin get ajax-load-more --field=versionVerify Fix Applied:
Verify plugin version is 7.1.2 or higher. Test shortcode functionality to ensure it still works without errors.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to wp-admin/post.php with ajax_load_more shortcode containing script tags
- Multiple page edits by contributor users in short timeframe
Network Indicators:
- Outbound connections to suspicious domains from your WordPress site
- Unexpected JavaScript loading from your domain
SIEM Query:
source="wordpress" AND ("ajax_load_more" OR "shortcode") AND ("script" OR "javascript" OR "onclick")🔗 References
- https://plugins.trac.wordpress.org/browser/ajax-load-more/trunk/build/frontend/ajax-load-more.js
- https://plugins.trac.wordpress.org/browser/ajax-load-more/trunk/core/classes/class-alm-shortcode.php#L1191
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3095200%40ajax-load-more&new=3095200%40ajax-load-more&sfp_email=&sfph_mail=#file3
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e86c080d-202c-4c41-b9cc-c35249aabba5?source=cve
- https://plugins.trac.wordpress.org/browser/ajax-load-more/trunk/build/frontend/ajax-load-more.js
- https://plugins.trac.wordpress.org/browser/ajax-load-more/trunk/core/classes/class-alm-shortcode.php#L1191
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3095200%40ajax-load-more&new=3095200%40ajax-load-more&sfp_email=&sfph_mail=#file3
- https://www.wordfence.com/threat-intel/vulnerabilities/id/e86c080d-202c-4c41-b9cc-c35249aabba5?source=cve
