CVE-2025-15525
Unknown Unknown - Not Provided
Unauthorized Data Access in Ajax Load More WordPress Plugin

Publication date: 2026-01-31

Last updated on: 2026-01-31

Assigner: Wordfence

Description
The Ajax Load More – Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parse_custom_args() function in all versions up to, and including, 7.8.1. This makes it possible for unauthenticated attackers to expose the titles and excerpts of private, draft, pending, scheduled, and trashed posts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-31
Last Modified
2026-01-31
Generated
2026-06-16
AI Q&A
2026-01-31
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15525
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ajax_load_more ajax_load_more to 7.8.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Ajax Load More WordPress plugin (up to version 7.8.1) due to incorrect authorization in the parse_custom_args() function. It allows unauthenticated attackers to access data they should not be able to see, specifically exposing the titles and excerpts of private, draft, pending, scheduled, and trashed posts.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive content on a WordPress site using the Ajax Load More plugin. Attackers without authentication can view titles and excerpts of posts that are meant to be private or unpublished, potentially leaking confidential or sensitive information.

Mitigation Strategies

To mitigate this vulnerability, you should update the Ajax Load More plugin to a version later than 7.8.1 where the authorization issue in the parse_custom_args() function is fixed. Until an update is applied, restrict access to the plugin's AJAX endpoints to authenticated users only, and review user permissions to limit exposure of private, draft, pending, scheduled, and trashed posts. Additionally, monitor for any unauthorized access attempts and consider disabling the plugin if immediate patching is not possible.

Compliance Impact

This vulnerability allows unauthorized access to private, draft, pending, scheduled, and trashed post titles and excerpts, potentially exposing sensitive or confidential information. Such unauthorized data exposure can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require proper access controls to protect personal and sensitive data. [2]

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized access attempts to the Ajax Load More plugin's AJAX endpoints that invoke the parse_custom_args() function, which may expose private, draft, pending, scheduled, and trashed post titles and excerpts. You can detect suspicious HTTP requests targeting the plugin's AJAX handler, especially those that do not require authentication but return data for non-public post statuses. For example, using command-line tools like curl or wget to simulate such requests and observe responses can help detect exploitation attempts. A sample curl command to test might be: curl -X POST 'https://yourwordpresssite.com/wp-admin/admin-ajax.php' -d 'action=alm_parse_custom_args&parameters=...' (replace parameters with typical query args). Additionally, network monitoring tools like tcpdump or Wireshark can be used to capture and analyze HTTP POST requests to admin-ajax.php for suspicious patterns. However, specific commands or signatures are not provided in the available resources. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15525. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart