The Anti-Malware Safety and Brute-Drive Firewall plugin for WordPress, put in on over 100,000 websites, has a vulnerability that enables subscribers to learn any file on the server, doubtlessly exposing personal data.
The plugin gives malware scanning and safety towards brute-force assaults, exploitation of recognized plugin flaws, and towards database injection makes an attempt.
Recognized as CVE-2025-11705, the vulnerability was reported to Wordfence by researcher Dmitrii Ignatyev and impacts variations of the plugin 4.23.81 and earlier.
The difficulty stems from lacking functionality checks within the GOTMLS_ajax_scan() perform, which processes AJAX requests utilizing a nonce that attackers might receive.
This oversight permits a low-privileged consumer, who can invoke the perform, to learn arbitrary recordsdata on the server, together with delicate knowledge such because the wp-config.php configuration file that shops the database title and credentials.
With entry to the database, an attacker can extract password hashes, customers’ emails, posts, and different personal knowledge (and keys, salts for safe authentication).
Though the severity of the vulnerability shouldn’t be thought-about essential, as a result of authentication is required for exploitation, many web sites permit customers to subscribe and enhance their entry to numerous sections of the positioning, similar to feedback.
Websites that supply any form of membership or subscription, permitting customers to create accounts, meet the requirement, and are susceptible to assaults exploiting CVE-2025-11705.
Wordfence has reported the difficulty to the seller, Eli, together with a validated proof-of-concept exploit, via the WordPress.org Safety Staff, on October 14.
On October 15, the developer launched model 4.23.83 of the plugin that addresses CVE-2025-11705 by including a correct consumer functionality test through a brand new ‘GOTMLS_kill_invalid_user()’ perform.
In keeping with WordPress.org stats, roughly 50,000 web site directors have downloaded the most recent model since its launch, indicating that an equal variety of websites are working a susceptible model of the plugin.
Presently, Wordfence has not detected indicators of exploitation within the wild, however making use of the patch is strongly beneficial, as the general public disclosure of the difficulty might draw the attackers’ consideration.
46% of environments had passwords cracked, almost doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration tendencies.
