Security Fix: Argument Type Checking #225
Description
I'm managing a site that gets a ton of traffic each month and by consequence, a lot of bot traffic. Like most Wordpress sites, the admin-ajax.php endpoint is open for pretty much anyone to hit with a proper request. We have a few instances of ALM on the frontend and bots have started abusing the ajax calls to include a sort of cross scripting attempt. See an example of the error reported below by our hosting platform:
GET "/wp-admin/admin-ajax.php?action=alm_get_posts&query_type=standard&id=9465113140&post_id=36&slug=news&canonical_url=https%3A%2F%2Flosangeles.trapac.com%2Fnews%2F&posts_per_page=6&page=0&offset=javascript:console[(Object.keys(console)[0])](2..constructor(3657880*5354838));//&post_type=post&repeater=default&seo_start_page=1&paging=true&theme_repeater=post.php&category=los-angeles&order=DESC&orderby=date"
That offest parameter is causing the following PHP fatal error:
PHP Fatal error: Uncaught TypeError: Unsupported operand types: string + int in /wp-content/plugins/ajax-load-more/ajax-load-more.php:535
When you inspect that line of code, you see that none of the variables in that mathematical calculation are being type checked to confirm they're actual numbers.
While the end result of this is still that the execution is killed, it's simply not graceful and arguably could be a security hole. Not to mention it's clogging up my hosting error logs with 500 responses. Do you think you could work in a fix in your next plugin patch?