PT-2021-15686 · WordPress · Ajax Load More

Khanh

Published

2021-03-18

Updated

2021-03-22

CVE-2021-24140

CVSS v3.1

7.2

High

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Ajax Load More WordPress plugin versions prior to 5.3.2

Description: The issue concerns unvalidated input in the Ajax Load More WordPress plugin, leading to SQL Injection. This occurs in the POST /wp-admin/admin-ajax.php endpoint with the repeater parameter, specifically when set to ' or sleep(5)# and type set to test.

Recommendations: For versions prior to 5.3.2, update to version 5.3.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the /wp-admin/admin-ajax.php endpoint until the update is applied. Avoid using the repeater parameter in the affected API endpoint until the issue is resolved.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

CVE-2021-24140

Affected Products

Ajax Load More

PT-2021-15686 · WordPress · Ajax Load More

CVE-2021-24140

Weakness Enumeration

Related Identifiers

Affected Products

References · 4