437/68 Friday, October 31, 2025
Security researchers have discovered a vulnerability in the popular WordPress plugin Anti-Malware Security and Brute-Force Firewall, which is installed on more than 100,000 websites worldwide. The flaw, tracked as CVE-2025-11705, stems from a missing capability check in the function GOTMLS_ajax_scan(), allowing users with subscriber-level access to invoke the function and read arbitrary files on the server—including sensitive files such as wp-config.php, which contains database credentials and configuration details. Successful exploitation could lead to unauthorized access to personal data and administrator accounts.
Although exploitation requires a logged-in user account, websites that allow public registration—such as blogs or forums—remain at high risk. Attackers could create their own accounts to abuse the flaw, and if database access is gained, they could exfiltrate user data, hashed passwords, authentication keys, and other sensitive information. This could ultimately result in full website compromise or data leakage.
The developer has released a patch in version 4.23.83, introducing a new validation function GOTMLS_kill_invalid_user() to enforce proper permission checks. Site administrators using versions older than 4.23.81 are strongly urged to update immediately to prevent potential exploitation. According to WordPress.org, over 50,000 sites have already applied the update, though many remain vulnerable. While Wordfence reports no active attacks at this time, it warns that public disclosure of the vulnerability could prompt threat actors to begin exploiting it soon.
