WordPress Plugin Vulnerabilities

Ajax Load More <= 2.11.1 - Local File Inclusion (LFI)

Description

NOTE: The victim should have the paid add-on Custom Repeater or Unlimited installed.

Affects Plugins

Plugin icon
ajax-load-more
Fixed in 2.11.2

References

URL
https://seclists.org/fulldisclosure/2016/Aug/72
URL
https://sumofpwn.nl/advisory/2016/ajax_load_more_local_file_inclusion_vulnerability.html

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22

Miscellaneous

Submitter
ethicalhack3r
Submitter twitter
ethicalhack3r
Verified
No
WPVDB ID
82650c97-3752-441a-9365-417ef148285d

Timeline

Publicly Published
2016-08-15 (about 9 years ago)
Added
2016-08-16 (about 9 years ago)
Last Updated
2019-11-01 (about 6 years ago)

Other

Published
Title
Published
2025-04-10
Title
InstaWP Connect < 0.1.0.86 - Unauthenticated Local PHP File Inclusion
Published
2025-02-26
Title
Car Dealer Automotive WordPress Theme – Responsive < 1.6.4 - Authenticated (Subscriber+) Arbitrary File Deletion and Read
Published
2024-09-30
Title
Hello World < 2.2.0 - Authenticated (Subscriber+) Arbitrary File Read
Published
2025-05-12
Title
Opal Woo Custom Product Variation < 1.2.1 - Unauthenticated Arbitrary File Deletion
Published
2014-08-01
Title
Vitamin 1.0 - add_headers.php path Parameter Traversal Arbitrary File Access