Critical Security Flaw Unveiled: WordPress Plugin Leaks Private Data to Subscribers

Security Vulnerability in WordPress Anti-Malware Plugin Exposes Sensitive Data

An alarming security flaw has been discovered in the Anti-Malware Security and Brute-Force Firewall plugin for WordPress, a popular tool used by over 100,000 websites. This vulnerability allows unauthorized subscribers to access and read any file on the server, potentially leading to the exposure of confidential information.

The plugin, designed to protect websites from malware, brute-force attacks, and other malicious activities, was found to have a critical vulnerability identified as CVE-2025-11705. This flaw, reported by researcher Dmitrii Ignatyev, affects plugin versions 4.23.81 and earlier.

The issue arises from a lack of proper capability checks in the plugin’s GOTMLS_ajax_scan() function, which processes AJAX requests using a nonce that can be obtained by attackers. This oversight enables low-privileged users to read sensitive files on the server, including the wp-config.php configuration file containing database credentials.

By exploiting this vulnerability, attackers can gain access to password hashes, user emails, posts, and other confidential data stored in the database. While authentication is required for exploitation, websites that allow user subscriptions or memberships are at risk.

Upon discovering the vulnerability, Wordfence promptly notified the plugin vendor, Eli, and the WordPress.org Security Team. A validated proof-of-concept exploit was provided, leading to the release of version 4.23.83 of the plugin on October 15. This update addresses the vulnerability by implementing a proper user capability check through the new ‘GOTMLS_kill_invalid_user()’ function.

Website administrators are strongly advised to update to the latest version of the plugin to mitigate the risk of exploitation. Despite no known instances of exploitation in the wild, the public disclosure of the vulnerability may attract malicious actors.