CVE-2025-15525
Unauthorized Data Access in Ajax Load More WordPress Plugin
Publication date: 2026-01-31
Last updated on: 2026-01-31
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ajax_load_more | ajax_load_more | to 7.8.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Ajax Load More WordPress plugin (up to version 7.8.1) due to incorrect authorization in the parse_custom_args() function. It allows unauthenticated attackers to access data they should not be able to see, specifically exposing the titles and excerpts of private, draft, pending, scheduled, and trashed posts.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive content on a WordPress site using the Ajax Load More plugin. Attackers without authentication can view titles and excerpts of posts that are meant to be private or unpublished, potentially leaking confidential or sensitive information.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the Ajax Load More plugin to a version later than 7.8.1 where the authorization issue in the parse_custom_args() function is fixed. Until an update is applied, restrict access to the plugin's AJAX endpoints to authenticated users only, and review user permissions to limit exposure of private, draft, pending, scheduled, and trashed posts. Additionally, monitor for any unauthorized access attempts and consider disabling the plugin if immediate patching is not possible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized access to private, draft, pending, scheduled, and trashed post titles and excerpts, potentially exposing sensitive or confidential information. Such unauthorized data exposure can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require proper access controls to protect personal and sensitive data. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized access attempts to the Ajax Load More plugin's AJAX endpoints that invoke the parse_custom_args() function, which may expose private, draft, pending, scheduled, and trashed post titles and excerpts. You can detect suspicious HTTP requests targeting the plugin's AJAX handler, especially those that do not require authentication but return data for non-public post statuses. For example, using command-line tools like curl or wget to simulate such requests and observe responses can help detect exploitation attempts. A sample curl command to test might be: curl -X POST 'https://yourwordpresssite.com/wp-admin/admin-ajax.php' -d 'action=alm_parse_custom_args¶meters=...' (replace parameters with typical query args). Additionally, network monitoring tools like tcpdump or Wireshark can be used to capture and analyze HTTP POST requests to admin-ajax.php for suspicious patterns. However, specific commands or signatures are not provided in the available resources. [2]