A new vulnerability has been discovered in the popular WordPress plugin Anti-Malware Security and Brute-Force Firewall. The vulnerability puts more than 100,000 websites at risk. The flaw allows low-level users, such as subscribers, to read private files stored on the server, including critical configuration data.
The issue has been tracked as CVE-2025-11705 and was reported to Wordfence by security researcher Dmitrii Ignatyev. It affects plugin versions 4.23.81 and earlier. The problem lies in a missing capability check within a function called GOTMLS_ajax_scan(), which handles AJAX requests. Due to this oversight, even users with limited privileges can exploit the function using a valid nonce to access sensitive files.
This means attackers with subscriber accounts could potentially view the wp-config.php file, which contains important information such as database names, usernames, and passwords. With this access, an attacker could read private data, extract user details, and gain deeper access to the website.
While this flaw requires authentication, it remains a serious concern for websites that allow public registration. Many WordPress sites let visitors create subscriber accounts for commenting or accessing certain features. These accounts meet the basic requirement needed to launch the attack, making the risk significant for membership-based or community-driven websites.
Wordfence reported the vulnerability to the plugin developer Eli on October 14, 2025, along with proof-of-concept details. The developer responded quickly, releasing version 4.23.83 the next day to fix the issue. The update adds a new security function called GOTMLS_kill_invalid_user() that performs proper capability checks and blocks unauthorized users from exploiting the flaw.
Wordfence has not detected any active exploitation in the wild, but now that the vulnerability has been publicly disclosed, the chances of attacks may increase. Website owners using this plugin are strongly advised to update immediately to version 4.23.83 or later. It is also a good idea to review user roles and registration settings to limit access for low-privileged users.
