UPDATE

Ajax Load More has been restored on wordpress.org and can be downloaded and installed through your Plugins Dashboard.

Thanks to the plugins team for there work in restoring the plugin.


Due to a security vulnerability discovered in our Ajax Load More WordPress plugin it has been temporarily pulled from the repository on wordpress.org.

I have been contacted by many Ajax Load More users who have noticed the plugin is no longer available for download in the WordPress plugin repository and everyone has the same questions, what happened? and when will the plugin be available for download?

In the interest of full transparency, I want to take this time to explain in as much detail as I can what is happening with the plugin.

What is the security vulnerability that affects Ajax Load More?
I don’t want to release the exact details of the exploit because it only affects a very small percentage of our users and don’t want the exploit made public. However, I can say that it only affects website’s with Subscriber and Contributor roles.

Have you fixed the exploit?
Yes, I released a patched version of Ajax Load More less than 4 hours after the vulnerability was discovered. However, by this time WordPress had already pulled ALM from the repository and is now is a long line awaiting review.

Does the exploit affect any add-ons?
No, it does not – all of our add-ons have been reviewed internally and as far as we can tell are secure and without any vulnerabilities.

Where can I download the latest version?
For the time being you can only download the patched version (version 2.8.1.2) of Ajax Load More directly from our website.

Timeline of Events

5pm – Friday, October 2nd, 2015
I received an email from a user who goes by Pizza Hat Hacker.
The email started with the following:

I am contacting you to inform that I have found a software security vulnerability in the wordpress plugin ajax-load-more. It affects at least versions 2.7.3 and 2.8.1.1…

As I continued to read the email, it became clear that this was in fact a real issue and it needed to be resolved as soon as possible.

About 10 minutes after that another email came in from plugins@wordpress.org.

Your plugin has had to be temporarily withdrawn from the WordPress plugin repository due to an exploit…

This action is applied to all plugins hosted in the WordPress repository. As soon as a fix is committed, the plugin can be checked and re-opened.

Your plugin will not be re-opened until it is reviewed, and it won’t be reviewed until you reply to this email, so please do so as soon as you’ve corrected the issue and checked the new code into SVN. This review process may take a while. Please be patient. While we fully understand that your plugin is important to you, it can take us up to 5 business days to give your plugin a full review.

 

9pm – Friday, October 2nd, 2015
Less than 5 hours after the exploit was discovered I committed Ajax Load More version 2.8.1.2 to SVN – this release patched the issues as detailed by Pizza Hat Hacker in his initial email. I then replied to the WordPress team outlining each change that was made to combat the exploit.

Saturday, October 3rd – Present
Over the past 4 days I’ve been in contact with Pizza Hat Hacker who has reviewed the updated plugin and confirmed the vulnerability has been removed

Saturday, October 8th
Ajax Load More is back on wordpress.org.

If you any concerns or questions please don’t hesitate to contact us.

Comments

3 thoughts on “Security Exploit Discovered in Ajax Load More”

  1. Rudi van Heerden

    October 15, 2015 @ 8:52 pm
    Reply

    Hey Darren,

    Cheers for an unreal plugin. We have noticed, however, recently on several different builds the repeater templates are not save able anymore running the latest WordPress installs. They only save if you remove all HTML and PHP from the template and you’re just left with a nbsp;

    Running ALM 2.8.2.

    Any thoughts?

    Cheers,
    Rudi

    1. Darren Cooney

      October 16, 2015 @ 8:24 am
      Reply

      Thanks Rudi,
      Sorry to hear about your troubles.
      Would you mind opening a ticket on the support forums (https://wordpress.org/support/plugin/ajax-load-more) or send me an email (https://connekthq.com/contact/) so I can hear more about your issues?

  2. Eric Steffensen

    October 06, 2015 @ 1:17 pm
    Reply

    Thanks for being so open about the status of Ajax Load More. I’d like to know more about what the exploit was, but I understand the reasoning behind not releasing the full details.

    I’ve updated to 2.8.1.2 and everything is working as usual – hopefully the review team will get it together and release your updates soon so everyone can be sure they are safe from the exploit.

    Eric!

Leave a Reply

Your email address will not be published. Required fields are marked *