Cyber Posture

CVE-2015-10140

HighPublic PoC

Published: 22 July 2025

Published
22 July 2025
Modified
09 January 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5710 98.2th percentile
Risk Priority 52 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-10140 is a high-severity Missing Authorization (CWE-862) vulnerability in Connekthq Ajax Load More. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 1.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

AC-3 mandates enforcement of approved authorizations for access to system resources, directly addressing the missing authorization checks in the plugin's AJAX actions that enable unauthorized file uploads and deletions.

AC-6 Least Privilege partial match
prevent

AC-6 enforces least privilege, limiting low-privilege users like subscribers from performing high-impact file operations that exceed their assigned roles.

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely remediation of identified flaws, such as patching the Ajax Load More plugin to version 2.8.1.2 or later to fix the authorization vulnerability.

NVD Description

The Ajax Load More plugin before 2.8.1.2 does not have authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber, to upload and delete arbitrary files.

Deeper analysisAI

CVE-2015-10140 is a missing authorization vulnerability (CWE-862) in the Ajax Load More WordPress plugin versions prior to 2.8.1.2. The flaw affects certain AJAX actions within the plugin, which lack proper authorization checks, enabling unauthorized file operations on the server.

Any authenticated user, including low-privilege roles such as subscribers, can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation allows attackers to upload and delete arbitrary files, potentially leading to full server compromise, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflecting high impacts on confidentiality, integrity, and availability.

Mitigation involves updating the Ajax Load More plugin to version 2.8.1.2 or later, as indicated by the vulnerability description. Additional details are available in the WPScan advisory at https://wpscan.com/vulnerability/9f0c926e-0609-4c89-a724-88e16bcfa82a.

Details

CWE(s)
CWE-862

Affected Products

connekthq
ajax load more
≤ 2.8.1.2

CVEs Like This One

CVE-2024-12365Shared CWE-862
CVE-2025-67974Shared CWE-862
CVE-2025-65669Shared CWE-862
CVE-2026-28254Shared CWE-862
CVE-2025-48574Shared CWE-862
CVE-2026-3266Shared CWE-862
CVE-2025-69297Shared CWE-862
CVE-2025-69186Shared CWE-862
CVE-2026-25456Shared CWE-862
CVE-2024-12810Shared CWE-862

References