CVE-2022-2433

Name of the Vulnerable Software and Affected Versions WordPress Infinite Scroll – Ajax Load More plugin versions up to, and including 5.5.3

Description The issue allows deserialization of untrusted input via the alm repeaters export parameter. This enables unauthenticated users to potentially call files using a PHAR wrapper if they can trick a site administrator into performing a specific action, such as clicking on a link. The action must deserialize and call arbitrary PHP Objects, which can be used for malicious purposes if a POP chain is present. Additionally, the attacker must successfully upload a file containing the serialized payload.

Recommendations For WordPress Infinite Scroll – Ajax Load More plugin versions up to, and including 5.5.3, consider disabling the alm repeaters export parameter until a patch is available to prevent deserialization of untrusted input. Restrict access to the plugin's functionality to minimize the risk of exploitation, especially in scenarios where an attacker could trick an administrator into performing actions that lead to deserialization of malicious payloads.