A critical security flaw has been discovered in the Anti-Malware Security and Brute-Force Firewall WordPress plugin, putting more than 100,000 websites at risk.
The vulnerability, identified as CVE-2025-11705, allows authenticated attackers with basic subscriber-level access to read any file stored on the web server, potentially exposing sensitive data including database credentials and security keys.
| Attribute | Details |
| CVE ID | CVE-2025-11705 |
| CVSS Rating | 6.5 (Medium) |
| Vulnerability Type | Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read |
| Affected Plugin | Anti-Malware Security and Brute-Force Firewall |
How the Vulnerability Works
The security flaw stems from a missing authorization check in the plugin’s code, specifically within the GOTMLS_ajax_scan() function used to display malware scan results.
Although the function includes nonce protection designed to prevent unauthorized access, attackers with subscriber-level accounts can bypass these safeguards and exploit the vulnerability to read arbitrary files on the server.
The vulnerability is particularly dangerous because it grants low-level users access to critical files like wp-config.php, which contains database credentials and cryptographic security keys essential for WordPress security.
Security researcher Dmitrii Ignatyev discovered this flaw and responsibly reported it through the Wordfence Bug Bounty Program on October 3rd, 2025, earning a $960 bounty for the discovery.
The plugin developer released a patched version, 4.23.83, on October 15th, 2025, just two days after Wordfence validated the vulnerability.
The fix implements proper capability checks through the GOTMLS_kill_invalid_user() function, ensuring that only users with appropriate permissions can access sensitive file operations. This prevents subscribers and other low-privilege users from exploiting the vulnerability.
Wordfence Premium, Care, and Response users received firewall protection against potential exploits on October 14th, 2025. Users of the free version of Wordfence will receive the same protection on November 13th, 2025, following the standard 30-day delay.
Website administrators using the Anti-Malware Security and Brute-Force Firewall plugin must immediately update to version 4.23.83 or later to protect their sites from exploitation.
The vulnerability affects all versions up to and including 4.23.81, making timely updates critical for maintaining website security.
This incident highlights the importance of regular plugin updates and monitoring security advisories.
Site owners should verify their plugin versions and implement updates promptly to prevent unauthorized access to sensitive server files and maintain the integrity of their WordPress installations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
