CVE-2025-15525
📋 TL;DR
The Ajax Load More WordPress plugin has an authorization vulnerability that allows unauthenticated attackers to view titles and excerpts of private, draft, pending, scheduled, and trashed posts. This affects all WordPress sites using the plugin up to version 7.8.1. The vulnerability occurs in the parse_custom_args() function which fails to properly check user permissions.
💻 Affected Systems
- Ajax Load More – Infinite Scroll, Load More, & Lazy Load WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sensitive post metadata could be exposed, potentially revealing confidential information about unpublished content, editorial workflows, or internal communications.
Likely Case
Attackers can enumerate unpublished post titles and excerpts, gaining insight into editorial calendars, upcoming announcements, or internal discussions that should remain private.
If Mitigated
With proper access controls and monitoring, the impact is limited to metadata exposure rather than full content compromise.
🎯 Exploit Status
The vulnerability requires no authentication and exploitation is straightforward via crafted HTTP requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.8.2 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3200000/ajax-load-more
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find 'Ajax Load More'
4. Click 'Update Now' if available
5. Alternatively, download version 7.8.2+ from WordPress.org and manually update
🔧 Temporary Workarounds
Disable Ajax Load More Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate ajax-load-more
Restrict Access via WAF
allBlock requests to the vulnerable endpoint using web application firewall rules
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the WordPress site
- Enable detailed logging and monitoring for suspicious requests to the Ajax Load More endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for Ajax Load More version. If version is 7.8.1 or earlier, you are vulnerable.Check Version:
wp plugin get ajax-load-more --field=versionVerify Fix Applied:
After updating, verify the plugin version shows 7.8.2 or later in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual volume of requests to /wp-admin/admin-ajax.php with action=alm_get_posts
- Requests with parameters attempting to access post_status values like 'private', 'draft', 'pending'
Network Indicators:
- HTTP POST requests to admin-ajax.php with crafted post_status parameters
- Unusual traffic patterns to WordPress admin endpoints from unauthenticated users
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND parameters CONTAINS "action=alm_get_posts" AND parameters CONTAINS "post_status")