CVE-2025-15525

MEDIUM 5.3

Ajax Load More – Infinite Scroll, Lazy Load & Load More <= 7.8.1 - Incorrect Authorization to Unauthenticated Private/Draft Post Title and Excerpt Exposure

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

The Ajax Load More – Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parse_custom_args() function in all versions up to, and including, 7.8.1. This makes it possible for unauthenticated attackers to expose the titles and excerpts of private, draft, pending, scheduled, and trashed posts.

CWE	CWE-863
Vendor	dcooney
Product	ajax load more – infinite scroll, load more, & lazy load
Published	Jan 31, 2026
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for dcooney ajax load more – infinite scroll, load more, & lazy load

Be the first to know when new medium vulnerabilities affecting dcooney ajax load more – infinite scroll, load more, & lazy load are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

dcooney / Ajax Load More – Infinite Scroll, Load More, & Lazy Load

0 ≤ 7.8.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/d01f4e67-a463-4973-97b1-41a64398686a?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/ajax-load-more/tags/7.8.1/core/classes/class-alm-queryargs.php#L500

Credits

Angus Girvan