The use of $_POST['action'] in the WP_Query and as a dynamic action name is dangerous, and in the code triggers the handler on all AJAX requests even those you don’t want. This is unavoidable and a dead end that cannot be fixed. Alternatives are mandatory.
Instead, use a static non-dynamic action name, E.g. mathieu_loadmode_post_archive or mathieu_loadmode_taxonomy_archive, then pass the post type or taxonomy name in your javascripts AJAX the same way you’re passing tax_term or tax_post_type.
Other notes:
- do not use relative paths for
admin-ajax.php, the examples use localised data or absolute paths for a reason, your code will fail if your URL structure needs more than on..with relative paths - whitelist those options, only allow a limited subset of values, right now I could request any data I want from your site, or ask it for something extremely slow and expensive. User data is not trustworthy, don’t pass it into APIs/classes without checks. E.g. what’s to stop me adding a
meta_valueparameter, or one of the__not_inparameters. Or requesting all posts by an author for an internal post type that’s not meant to be accessible.