Cyber Resilience

CVE-2015-10140

HighPublic PoC

Published: 22 July 2025

Published
22 July 2025
Modified
09 January 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.7387 98.8th percentile
Risk Priority 62 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2015-10140 is a high-severity Missing Authorization (CWE-862) vulnerability in Connekthq Ajax Load More. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2015-10140 is a missing authorization vulnerability (CWE-862) in the Ajax Load More WordPress plugin versions prior to 2.8.1.2. The flaw affects certain AJAX actions within the plugin, which lack proper authorization checks, enabling unauthorized file operations on the server.

Any authenticated user, including low-privilege roles such as subscribers, can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation allows attackers to upload and delete arbitrary files, potentially leading to full server compromise, with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflecting high impacts on confidentiality, integrity, and availability.

Mitigation involves updating the Ajax Load More plugin to version 2.8.1.2 or later, as indicated by the vulnerability description. Additional details are available in the WPScan advisory at https://wpscan.com/vulnerability/9f0c926e-0609-4c89-a724-88e16bcfa82a.

EU & UK References

Vulnerability details

The Ajax Load More plugin before 2.8.1.2 does not have authorisation in some of its AJAX actions, allowing any authenticated users, such as subscriber, to upload and delete arbitrary files.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
T1070.004 File Deletion Stealth
Adversaries may delete files left behind by the actions of their intrusion activity.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Missing authorization on AJAX file operations in public-facing WordPress plugin directly enables remote exploitation (T1190) leading to arbitrary file upload (T1105, T1505.003 web shell) and deletion (T1070.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-10690Shared CWE-862
CVE-2025-5394Shared CWE-862
CVE-2026-40189Shared CWE-862
CVE-2025-1307Shared CWE-862
CVE-2026-5464Shared CWE-862
CVE-2024-13361Shared CWE-862
CVE-2024-11270Shared CWE-862
CVE-2025-8418Shared CWE-862
CVE-2026-5294Shared CWE-862
CVE-2024-12848Shared CWE-862

Affected Assets

connekthq
ajax load more
≤ 2.8.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations for access to system resources, directly addressing the missing authorization checks in the plugin's AJAX actions that enable unauthorized file uploads and deletions.

prevent

AC-6 enforces least privilege, limiting low-privilege users like subscribers from performing high-impact file operations that exceed their assigned roles.

prevent

SI-2 requires timely remediation of identified flaws, such as patching the Ajax Load More plugin to version 2.8.1.2 or later to fix the authorization vulnerability.

References