A vulnerability was discovered in the Anti-Malware Security and Brute-Force Firewall plugin for WordPress that allows minimally privileged users to read arbitrary files on the server. The plugin is installed on more than 100,000 sites, but so far the patch has been applied to only half of them.
The Anti-Malware Security and Brute-Force Firewall plugin is designed to scan websites for malware and to protect against brute-force attacks, exploitation of known bugs in other plugins, and SQL injections.
The CVE-2025-11705 vulnerability was discovered by researcher Dmitry Ignatiev, who reported the issue to the Wordfence team through a bug bounty program. The problem affects version 4.23.81 and earlier versions.
The bug lies in the GOTMLS_ajax_scan() function, which handles AJAX requests. It lacks a permission check—the function relies solely on a nonce, which an attacker can obtain.
Because of this, any user with minimal privileges (for example, a regular subscriber) can call this function and read any file on the server. The most attractive target for attackers is the wp-config.php configuration file, which contains the database name and the credentials to access it.
By gaining access to the database, an attacker can extract: password hashes of all users, email addresses, post contents (including drafts), keys and salts for secure authentication, as well as other private data. Armed with this information, they can compromise administrator accounts, seize full control of the vulnerable site, or use the stolen data for further attacks.
Although the issue isn’t officially classified as critical (because it requires authentication), any site with the plugin installed that allows users to create low-privileged accounts is at risk. An attacker only needs to register under any name and exploit the bug.
Wordfence notified the developers about the issue on October 14, 2025, and the very next day, on October 15, version 4.23.83 of the plugin was released, which fixes the problem. The patch adds a new function, GOTMLS_kill_invalid_user(), to check user permissions before performing sensitive operations.
According to WordPress.org data, roughly 50,000 administrators have downloaded the patch since its release. This means about another 50,000 sites are still running vulnerable versions of the plugin.
Researchers report that they have not yet observed exploitation of CVE-2025-11705 in real-world attacks, however, the public disclosure of the issue will likely attract the attention of malicious actors. Administrators are strongly advised to update Anti-Malware Security and Brute-Force Firewall to version 4.23.83 as soon as possible.