WordPress · Ajax Load More · CVE-2021-24140
Name of the Vulnerable Software and Affected Versions:
Ajax Load More WordPress plugin versions prior to 5.3.2
Description:
The issue concerns unvalidated input in the Ajax Load More WordPress plugin, leading to SQL Injection. This occurs in the POST /wp-admin/admin-ajax.php endpoint with the `repeater` parameter, specifically when set to `' or sleep(5)#` and `type` set to `test`.
Recommendations:
For versions prior to 5.3.2, update to version 5.3.2 or later to resolve the issue.
As a temporary workaround, consider restricting access to the /wp-admin/admin-ajax.php endpoint until the update is applied.
Avoid using the `repeater` parameter in the affected API endpoint until the issue is resolved.