Ajax Load More – Infinite Scroll, Load More, & Lazy Load Security & Risk Analysis

The 'ajax-load-more' v7.8.3 plugin exhibits a concerning security posture. While it demonstrates some positive practices like a reasonable percentage of properly escaped output and the absence of dangerous functions, significant risks are present. The static analysis reveals a notable attack surface with 7 AJAX handlers, 2 of which lack authentication checks, presenting clear entry points for unauthorized actions. Furthermore, the taint analysis indicates flows with unsanitized paths, suggesting potential vulnerabilities like path traversal if these flows are not properly handled. The plugin's vulnerability history is particularly alarming, with a substantial number of known CVEs (17) across a wide range of critical to medium severity types, including improper authorization, cross-site scripting, path traversal, SQL injection, and remote file inclusion. The presence of critical and high-severity vulnerabilities in its past, even though none are currently unpatched, suggests a recurring pattern of security weaknesses. The latest reported vulnerability date (2026-01-30) is in the future, which is likely an anomaly in the data, but it doesn't negate the historical severity of past issues.

In conclusion, while the plugin has some strengths, the combination of unprotected AJAX endpoints, unsanitized path flows, and a history rife with severe vulnerabilities demands caution. The potential for attackers to exploit the unprotected AJAX handlers or unsanitized paths to trigger previously identified vulnerability types is a significant concern. Users should carefully weigh the benefits of this plugin against the potential security risks and ensure they are using the absolute latest available, patched version. The historical pattern of severe vulnerabilities indicates that ongoing vigilance and prompt updates are crucial if this plugin is to be used.