Full Report
The Anti-Malware Security and Brute-Force Firewall plugin for WordPress, installed on over 100,000 sites, has a vulnerability that allows subscribers to read any file on the server, potentially exposing private information. [...]
Analysis Summary
# Vulnerability: Arbitrary File Read in Anti-Malware Security and Brute-Force Firewall Plugin
## CVE Details
- CVE ID: CVE-2025-11705
- CVSS Score: Not explicitly provided, but described as "not considered critical" despite high impact due to authentication requirement.
- CWE: CWE-284 (Improper Access Control) is likely applicable based on missing capability checks.
## Affected Systems
- Products: Anti-Malware Security and Brute-Force Firewall plugin for WordPress
- Versions: 4.23.81 and earlier
- Configurations: Any site utilizing this plugin where users can register/subscribe (low-privileged accounts exist).
## Vulnerability Description
The vulnerability resides in the `_GOTMLS_ajax_scan()` function, which handles AJAX requests but lacks proper capability checks. An authenticated low-privileged user (such as a 'subscriber') can invoke this function, allowing them to read arbitrary files on the server. Successful exploitation can lead to the disclosure of sensitive configuration files like `wp-config.php`, revealing database credentials, user emails, password hashes, and site authentication keys/salts.
## Exploitation
- Status: PoC available (Validated proof-of-concept provided to vendor through Wordfence). Not detected in the wild by Wordfence at the time of reporting.
- Complexity: Medium (Requires prior account creation/subscription on the vulnerable site for authentication).
- Attack Vector: Network
## Impact
- Confidentiality: High (Disclosure of server files, database contents, and sensitive credentials)
- Integrity: Medium (Access to credentials could facilitate later integrity compromises)
- Availability: Low (No direct impact on service availability)
## Remediation
### Patches
- Update the "Anti-Malware Security and Brute-Force Firewall" plugin to version **4.23.83** or later. This version adds a proper user capability check via the new `GOTMLS_kill_invalid_user()` function.
### Workarounds
- No specific workarounds were detailed beyond immediate patching. Restricting user registration might temporarily limit the pool of potential attackers, but patching is strongly recommended.
## Detection
- Indicators of compromise: Unusual access attempts logged against file retrieval functions or unexpected file modifications related to core WordPress configuration files.
- Detection methods and tools: Monitor web server access logs for abnormal requests to the plugin's AJAX handlers made by low-privileged users.
## References
- Vendor Advisory: Reports made via the WordPress.org Security Team.
- Relevant links:
- Plugin page (for updates): hXXps://wordpress.org/plugins/gotmls/advanced/