The Anti-Malware Safety and Brute-Drive Firewall plugin for WordPress, put in on over 100,000 websites, has a vulnerability that enables subscribers to learn any file on the server, doubtlessly exposing non-public data.
The plugin gives malware scanning and safety in opposition to brute-force assaults, exploitation of recognized plugin flaws, and in opposition to database injection makes an attempt.
Recognized as CVE-2025-11705, the vulnerability was reported to Wordfence by researcher Dmitrii Ignatyev and impacts variations of the plugin 4.23.81 and earlier.
The difficulty stems from lacking functionality checks within the GOTMLS_ajax_scan() perform, which processes AJAX requests utilizing a nonce that attackers might get hold of.
This oversight permits a low-privileged person, who can invoke the perform, to learn arbitrary recordsdata on the server, together with delicate knowledge such because the wp-config.php configuration file that shops the database title and credentials.
With entry to the database, an attacker can extract password hashes, customers’ emails, posts, and different non-public knowledge (and keys, salts for safe authentication).
Though the severity of the vulnerability is just not thought of important, as a result of authentication is required for exploitation, many web sites permit customers to subscribe and enhance their entry to numerous sections of the location, equivalent to feedback.
Websites that supply any form of membership or subscription, permitting customers to create accounts, meet the requirement, and are weak to assaults exploiting CVE-2025-11705.
Wordfence has reported the difficulty to the seller, Eli, together with a validated proof-of-concept exploit, by means of the WordPress.org Safety Crew, on October 14.
On October 15, the developer launched model 4.23.83 of the plugin that addresses CVE-2025-11705 by including a correct person functionality examine by way of a brand new ‘GOTMLS_kill_invalid_user()’ perform.
Based on WordPress.org stats, roughly 50,000 web site directors have downloaded the newest model since its launch, indicating that an equal variety of websites are operating a weak model of the plugin.
At the moment, Wordfence has not detected indicators of exploitation within the wild, however making use of the patch is strongly beneficial, as the general public disclosure of the difficulty might draw the attackers’ consideration.
46% of environments had passwords cracked, practically doubling from 25% final yr.
Get the Picus Blue Report 2025 now for a complete have a look at extra findings on prevention, detection, and knowledge exfiltration traits.
