Ajax Load More has been restored on wordpress.org and can be downloaded and installed through your Plugins Dashboard.
Thanks to the plugins team for there work in restoring the plugin.
I have been contacted by many Ajax Load More users who have noticed the plugin is no longer available for download in the WordPress plugin repository and everyone has the same questions, what happened? and when will the plugin be available for download?
In the interest of full transparency, I want to take this time to explain in as much detail as I can what is happening with the plugin.
What is the security vulnerability that affects Ajax Load More?
I don’t want to release the exact details of the exploit because it only affects a very small percentage of our users and don’t want the exploit made public. However, I can say that it only affects website’s with Subscriber and Contributor roles.
Have you fixed the exploit?
Yes, I released a patched version of Ajax Load More less than 4 hours after the vulnerability was discovered. However, by this time WordPress had already pulled ALM from the repository and is now is a long line awaiting review.
Does the exploit affect any add-ons?
No, it does not – all of our add-ons have been reviewed internally and as far as we can tell are secure and without any vulnerabilities.
Where can I download the latest version?
For the time being you can only download the patched version (version 188.8.131.52) of Ajax Load More directly from our website.
Timeline of Events
5pm – Friday, October 2nd, 2015
I received an email from a user who goes by Pizza Hat Hacker.
The email started with the following:
I am contacting you to inform that I have found a software security vulnerability in the wordpress plugin ajax-load-more. It affects at least versions 2.7.3 and 184.108.40.206…
As I continued to read the email, it became clear that this was in fact a real issue and it needed to be resolved as soon as possible.
About 10 minutes after that another email came in from firstname.lastname@example.org.
Your plugin has had to be temporarily withdrawn from the WordPress plugin repository due to an exploit…
This action is applied to all plugins hosted in the WordPress repository. As soon as a fix is committed, the plugin can be checked and re-opened.
Your plugin will not be re-opened until it is reviewed, and it won’t be reviewed until you reply to this email, so please do so as soon as you’ve corrected the issue and checked the new code into SVN. This review process may take a while. Please be patient. While we fully understand that your plugin is important to you, it can take us up to 5 business days to give your plugin a full review.
9pm – Friday, October 2nd, 2015
Less than 5 hours after the exploit was discovered I committed Ajax Load More version 220.127.116.11 to SVN – this release patched the issues as detailed by Pizza Hat Hacker in his initial email. I then replied to the WordPress team outlining each change that was made to combat the exploit.
Saturday, October 3rd – Present
Over the past 4 days I’ve been in contact with Pizza Hat Hacker who has reviewed the updated plugin and confirmed the vulnerability has been removed
Saturday, October 8th
Ajax Load More is back on wordpress.org.
If you any concerns or questions please don’t hesitate to contact us.