A critical security vulnerability has been identified in the Anti-Malware Security and Brute-Force Firewall WordPress plugin, affecting over 100,000 websites worldwide.
The flaw, tracked as CVE-2025-11705, enables authenticated attackers with basic subscriber-level access to read arbitrary files from affected servers, potentially exposing sensitive configuration data and database credentials.
The vulnerability stems from a missing authorization check within the plugin’s GOTMLS_ajax_scan() function, which is responsible for displaying malware scan results.
Although the function includes nonce protection mechanisms designed to prevent unauthorized access, the implementation fails to properly validate user capabilities.
This oversight allows subscribers and other low-privilege accounts to bypass these safeguards and exploit the vulnerability to access critical files such as wp-config.php, which contains database credentials and cryptographic security keys essential to WordPress’s security infrastructure.
The security researcher Dmitrii Ignatyev discovered the flaw and responsibly disclosed it through the Wordfence Bug Bounty Program on October 3rd, 2025, receiving a $960 bounty for the discovery.
Following standard vulnerability disclosure practices, the plugin developer released a patched version, 4.23.83, on October 15th, 2025, incorporating proper capability checks through the GOTMLS_kill_invalid_user() function to ensure only authorized users can access sensitive file operations.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-11705 |
| CVSS Score | 6.5 (Medium) |
| Vulnerability Type | Missing Authorization – Arbitrary File Read |
| Affected Plugin | Anti-Malware Security and Brute-Force Firewall |
| Affected Versions | Up to 4.23.81 |
| Patched Version | 4.23.83 and later |
| Discovery Date | October 3, 2025 |
| Patch Release | October 15, 2025 |
Timeline and Protection Status
Wordfence Premium, Care, and Response users received firewall protection against potential exploits on October 14th, 2025, one day before the official patch release.
Users of the free Wordfence version will receive equivalent protection on November 13th, 2025, following the standard 30-day disclosure delay protocol.
Website administrators using the Anti-Malware Security and Brute-Force Firewall plugin must immediately update to version 4.23.83 or later to eliminate the vulnerability.
The flaw affects all installations running versions up to and including 4.23.81, making timely updates critical for maintaining site security and preventing unauthorized access to sensitive server files.
This incident underscores the critical importance of maintaining current plugin versions and actively monitoring security advisories.
Site owners should verify their plugin versions through the WordPress dashboard and implement updates promptly to protect against potential exploitation and maintain the integrity of their WordPress installations.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1600,900&ssl=1&description=A critical security vulnerability has been identified in the Anti-Malware Security and Brute-Force Firewall WordPress plugin, affecting over 100,000 websites worldwide.){kind=link}