CVE-2022-2433
WordPress Infinite Scroll – Ajax Load More <= 5.5.3 - Cross-Site Request Forgery to PHAR Deserialization
highDeserialization of Untrusted Data
7.5
CVSS Score
7.5
CVSS Score
high
Severity
5.5.4
Patched in
1096d
Time to patch
Description
The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to deserialization of untrusted input via the 'alm_repeaters_export' parameter in versions up to, and including 5.5.3. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HAttack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability
Technical Details
Affected versions
<=5.5.3PublishedAugust 22, 2022
Last updatedAugust 21, 2025
Affected pluginajax-load-more
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.