A high‑impact vulnerability, CVE-2025-11705, has been identified in the popular WordPress plugin Anti‑Malware Security and Brute‑Force Firewall, enabling authenticated users with minimal privileges to read arbitrary files on the server. The plugin is installed on more than 100,000 sites. At the time of writing, only about half of those sites are reported to have applied the fix, leaving a significant attack surface exposed.
Technical overview: how the arbitrary file read works
The issue affects plugin versions 4.23.81 and earlier and stems from the AJAX handler GOTMLS_ajax_scan(). The handler lacks a proper capability check—a permission test that verifies whether the current user is authorized to perform sensitive operations—and instead relies solely on a request nonce. While nonces help prevent CSRF, they are not a substitute for authorization. If a low‑privileged user (e.g., a subscriber) can obtain or reuse a valid nonce, they can call the vulnerable function and read arbitrary files on the hosting environment.
Why access to wp-config.php is particularly dangerous
The most valuable target is typically wp-config.php, which stores database credentials and WordPress authentication keys and salts. With database access, an attacker can extract password hashes, email addresses, post content and drafts, and other sensitive data. The combination of database credentials and authentication secrets facilitates session forgery and offline cracking of weak passwords, which can lead to full site compromise—especially when chained with other issues or poor credential hygiene.
Scope, timeline, and patch status for CVE-2025-11705
Security researcher Dmitry Ignatiev reported the bug through a bug bounty program. Wordfence notified the plugin developers on October 14, 2025. A fix shipped on October 15, 2025 in version 4.23.83, introducing GOTMLS_kill_invalid_user() to enforce capability checks before executing sensitive operations.
According to WordPress.org download statistics referenced at publication time, the patch was downloaded roughly 50,000 times, indicating that around 50,000 installations may still be running vulnerable versions. No in‑the‑wild exploitation was publicly confirmed at publication; however, experience shows that public disclosure often accelerates opportunistic probing and exploitation attempts.
Risk analysis: who is exposed and how to prioritize
Because this is an authenticated arbitrary file read, sites with open user registration face elevated risk. An attacker only needs to register a basic account and trigger the vulnerable AJAX path to attempt file reads. Sites that restrict user registration still face insider risk or abuse of existing low‑privileged accounts.
Mitigation: immediate actions for WordPress administrators
Update now to Anti‑Malware Security 4.23.83 or later. Patching is the only reliable way to remove the root cause. Then implement the following hardening steps to reduce residual risk and detect abuse:
- Control registration: Disable or limit public sign‑ups; enable moderation, email verification, and tools like reCAPTCHA where appropriate.
- Rotate sensitive secrets: Change database passwords and regenerate AUTH_KEY and SALT values if compromise is suspected; invalidate all active sessions.
- Harden wp-config.php: Restrict file access via web server rules, minimize file read permissions for the PHP process, and store secrets securely.
- Monitor logs: Review web server and security plugin logs for unusual AJAX requests to the affected handlers and investigate anomalies promptly.
- Reduce attack surface: Apply the principle of least privilege, remove unused plugins/themes, and maintain timely core and plugin updates.
Organizations should treat CVE-2025-11705 as a priority due to the potential exposure of wp-config.php and database credentials. Rapid patching, credential rotation when warranted, and diligent monitoring materially lower the probability of account takeover and data leakage. Addressing this vulnerability swiftly—and reinforcing standard WordPress hardening practices—will help keep sites resilient against emerging exploit attempts.
