CVE-2022-2943: 
WordPress vulnerability analysis and mitigation

The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to arbitrary file reading in versions up to and including 5.5.3. The vulnerability was discovered in August 2022 and assigned CVE-2022-2943. The issue affects the almrepeatersexport() function due to insufficient file path validation (CVE Details).

The vulnerability exists in the almrepeatersexport() function which lacks proper file path validation. This allows authenticated attackers with administrative privileges to download arbitrary files hosted on the server through the WordPress admin interface. The vulnerability has a CVSS v3.1 base score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N (AttackerKB).

The vulnerability allows authenticated attackers with administrative privileges to read arbitrary files on the server, including sensitive files such as wp-config.php which may contain database credentials and other configuration information (Github POC).

Users should update to version 5.5.4 or later which includes security fixes for this vulnerability. The update was released in August 2022 and includes patches for potential admin level exploits with Repeater exports (Plugin Changelog).