PT-2026-5501 · WordPress · Ajax Load More
Angus Girvan
·
Published
2026-01-31
·
Updated
2026-01-31
·
CVE-2025-15525
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Ajax Load More – Infinite Scroll, Load More, & Lazy Load plugin for WordPress versions through 7.8.1
Description
The Ajax Load More plugin for WordPress has a flaw where data access isn’t properly controlled. Specifically, the
parse custom args() function lacks correct authorization checks. This allows attackers who haven’t logged in to view titles and excerpts of posts that are private, drafts, pending publication, scheduled, or in the trash.Recommendations
Update to a version newer than 7.8.1.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ajax Load More