A serious security flaw has been found in the Anti-Malware Security and Brute-Force Firewall plugin for WordPress, which is used on more than 100,000 websites.
This issue could allow regular subscribers to read any file stored on the website’s server, including private information.
The plugin is designed to protect websites from malware, brute-force attacks, and known vulnerabilities in other plugins, as well as block database injection attempts. However, a recent vulnerability, identified as CVE-2025-11705, puts many sites at risk. The issue was discovered by security researcher Dmitrii Ignatyev and reported to Wordfence. It affects all versions up to 4.23.81.
The problem occurs because of missing security checks in a function called GOTMLS_ajax_scan(), which handles AJAX requests. Attackers could get hold of a nonce used by this function and exploit it to access restricted files. This means even users with low privileges, such as basic subscribers, could potentially read sensitive files like wp-config.php, which stores database details, passwords, and other key information.
Once attackers gain access to the database, they can extract password hashes, user emails, posts, and other confidential data, putting the entire website at risk. Although the vulnerability requires a user to be logged in, many websites allow visitors to create accounts for comments or memberships, making them potential targets.
The issue was reported to the plugin’s developer, Eli, by Wordfence on October 14. The next day, the developer released an updated version, 4.23.83, which fixes the problem by adding a new capability check through the GOTMLS_kill_invalid_user() function.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Since the update’s release, around 50,000 website owners have downloaded the fixed version. This means that nearly half of the plugin’s active users might still be using a vulnerable version. While Wordfence has not yet detected any real-world attacks exploiting this flaw, website owners are strongly advised to update their plugin immediately to stay protected, as the public disclosure of this vulnerability could attract cybercriminals soon.
