Full Report
A critical security flaw has been discovered in the Anti-Malware Security and Brute-Force Firewall WordPress plugin, putting more than 100,000 websites at risk. The vulnerability, identified as CVE-2025-11705, allows authenticated attackers with basic subscriber-level access to read any file stored on the web server, potentially exposing sensitive data including database credentials and security keys. Attribute […] The post WordPress Plugin Vulnerability Lets Attackers Read Any Server File appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.
Analysis Summary
# Vulnerability: Arbitrary File Read in Anti-Malware Security and Brute-Force Firewall Plugin
## CVE Details
- CVE ID: CVE-2025-11705
- CVSS Score: 6.5 (Medium)
- CWE: Missing Authorization to Authenticated (Subscriber+)
## Affected Systems
- Products: Anti-Malware Security and Brute-Force Firewall WordPress plugin
- Versions: All versions up to and including 4.23.81.
- Configurations: Affects WordPress installations running the vulnerable plugin and requires an attacker to be authenticated with at least subscriber-level access.
## Vulnerability Description
This is an Arbitrary File Read vulnerability caused by a missing authorization check within the plugin's AJAX functionality, specifically the `GOTMLS_ajax_scan()` function used for displaying malware scan results. Although nonce protection was present, the flaw allows authenticated attackers with low-level (subscriber) access to bypass safeguards and read arbitrary files on the web server, potentially leading to the exposure of sensitive data such as database credentials (`wp-config.php`) and security keys.
## Exploitation
- Status: Patched, but exploitation is possible against unpatched systems. (Information suggests responsible disclosure, implying potential for exploit development/use).
- Complexity: Low (Requires only authenticated low-level access).
- Attack Vector: Adjacent (Requires existing, low-privilege user account on the compromised site).
## Impact
- Confidentiality: High (Exposure of critical server files, including database credentials and security keys).
- Integrity: Medium (Disclosure of sensitive system information).
- Availability: Low (No direct impact on service availability reported).
## Remediation
### Patches
- Update the Anti-Malware Security and Brute-Force Firewall WordPress plugin to **version 4.23.83** or later. The fix was released on October 15th, 2025, and implements proper capability checks via the `GOTMLS_kill_invalid_user()` function.
### Workarounds
- Implement strict access controls for low-privilege user roles if immediate patching is not possible.
- Use a Web Application Firewall (WAF) configured to block suspicious AJAX requests targeting plugin functions, though the vendor patch is the definitive fix. (Wordfence provided WAF protection starting October 14, 2025, for Premium users).
## Detection
- Indicators of Compromise (IOCs): Look for unusual file access patterns originating from low-privilege user sessions targeting core WordPress files (e.g., `wp-config.php`).
- Detection methods and tools: Monitor web server access logs for unusual resource requests associated with the plugin's AJAX handlers. Utilize security scanners updated to recognize this specific vulnerability.
## References
- Vendor Advisory/Discovery Details: Wordfence Bug Bounty Program disclosure (Reported October 3rd, 2025).
- Vendor Fix Release Date: October 15th, 2025.