A widely used WordPress plugin designed to protect websites from malware and brute-force attacks has been found vulnerable to a flaw that could expose sensitive server data to low-privileged users.
The flaw affects the Anti-Malware Security and Brute-Force Firewall plugin, which is active on over 100,000 websites worldwide. Researchers have warned that the issue could allow site subscribers to read arbitrary files on the hosting server, including critical configuration files that store database credentials.
CVE-2025-11705 Vulnerability Allows Unauthorized File Access
Tracked as CVE-2025-11705, the vulnerability was discovered by security researcher Dmitrii Ignatyev and reported to Wordfence. It impacts plugin versions 4.23.81 and earlier.
The flaw originates from a missing capability check in the GOTMLS_ajax_scan() function — a component that handles AJAX requests using a nonce token. Because the function does not properly verify user permissions, attackers who possess a valid nonce can exploit it to access restricted files on the server.
This oversight enables low-privileged users, including those with simple subscriber accounts, to retrieve arbitrary files such as wp-config.php, which stores sensitive data like the website’s database name, username, password, and authentication keys.
Once obtained, these credentials could be used to access stored password hashes, email addresses, posts, and cryptographic salts, potentially compromising the site’s entire database.
“This flaw stems from missing permission checks, allowing subscribers to read arbitrary files and potentially leak sensitive configuration data,” Wordfence researchers explained in their report.
Impact on Subscription-Based WordPress Sites
Although the vulnerability requires authentication, it poses a significant risk to websites that allow user registration or subscriptions. Many sites permit visitors to create basic accounts for commenting or accessing restricted content, thereby granting attackers the low-level access required to exploit the bug.
This means that any WordPress installation using the vulnerable plugin and offering user registrations may be at risk of unauthorized data exposure.
Patch Released and Adoption Remains Partial
The issue was reported to the plugin’s developer, Eli, on October 14 through the WordPress.org Security Team. The following day, on October 15, Eli released version 4.23.83 of the plugin, which adds a new function, GOTMLS_kill_invalid_user(), to perform proper capability checks and block unauthorized access attempts.
According to WordPress.org download statistics, approximately 50,000 administrators have installed the updated version, meaning that roughly half of the plugin’s total user base remains exposed to potential attacks.
As of now, Wordfence has not observed active exploitation in the wild, but researchers warn that public disclosure of the vulnerability could soon attract threat actors attempting to target unpatched sites.
Recommended Actions for Administrators
Website owners using the Anti-Malware Security and Brute-Force Firewall plugin should:
- Immediately update to version 4.23.83 or later to close the vulnerability.
- Review server access logs for unusual file-read activities or unauthorized AJAX requests.
- Restrict user registration and limit subscriber privileges wherever possible.
- Consider implementing an additional Web Application Firewall (WAF) layer for enhanced protection.
Even though the vulnerability is not classified as critical, the ease of exploitation through authenticated subscriber accounts makes it a pressing concern for WordPress administrators operating membership or community-based websites.
