CVE-2025-11705
published 2025-10-29CVE-2025-11705: The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.23.81 due…
PriorityP279medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.57%
43.0th percentile
The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.23.81 due to a missing capability check combined with an information exposure in several GOTMLS_* AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | >= 6.10.0 < 6.12.50 | 6.12.50 |
| linux | linux_kernel | >= 6.13.0 < 6.16.10 | 6.16.10 |
| scheeeli | anti-malware_security_and_brute-force_firewall | <= 4.23.81 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Vulnerability is triggered via AJAX actions prefixed with GOTMLS_* — monitor for authenticated low-privileged (Subscriber-level) requests invoking these AJAX actions, particularly GOTMLS_ajax_scan() ↗
- →Watch for authenticated requests to wp-admin/admin-ajax.php with action parameters matching GOTMLS_* from Subscriber-level or low-privileged accounts, especially targeting sensitive file paths such as wp-config.php ↗
- →Flag any exploitation of several GOTMLS_* AJAX actions by authenticated users with Subscriber-level access and above as potential arbitrary file read attempts ↗
- ·Exploitation requires authentication (minimum Subscriber-level); sites that do not allow user registration or subscriptions are at significantly reduced risk ↗
- ·As of public disclosure, no in-the-wild exploitation has been confirmed by Wordfence, but public disclosure may attract attacker attention ↗
- ·Approximately 50,000 sites had not yet applied the patch as of the time of reporting, indicating a large vulnerable population remains ↗
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-r62f-cx5r-q9jm: The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4
ghsa_unreviewed·2025-10-29
CVE-2025-11705 [MEDIUM] CWE-862 GHSA-r62f-cx5r-q9jm: The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4
The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.23.81 due to a missing capability check combined with an information exposure in several GOTMLS_* AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
OSV
net/smc: fix warning in smc_rx_splice() when calling get_page()
osv·2025-10-20
CVE-2025-40012 net/smc: fix warning in smc_rx_splice() when calling get_page()
net/smc: fix warning in smc_rx_splice() when calling get_page()
In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix warning in smc_rx_splice() when calling get_page()
smc_lo_register_dmb() allocates DMB buffers with kzalloc(), which are
later passed to get_page() in smc_rx_splice(). Since kmalloc memory is
not page-backed, this triggers WARN_ON_ONCE() in get_page() and prevents
holding a refcount on the buffer. This can lead to use-after-free if
the memory is released before splice_to_pipe() completes.
Use folio_alloc() instead, ensuring DMBs are page-backed and safe for
get_page().
WARNING: CPU: 18 PID: 12152 at ./include/linux/mm.h:1330 smc_rx_splice+0xaf8/0xe20 [smc]
CPU: 18 UID: 0 PID: 12152 Comm: smcapp Kdump: loaded Not tainted 6.17.0-rc3-11705-g9cf4
VulnCheck
anti-malware_security_and_brute-force_firewall_project anti-malware_security_and_brute-force_firewall Missing Authorization
vulncheck·2025·CVSS 6.5
CVE-2025-11705 [MEDIUM] anti-malware_security_and_brute-force_firewall_project anti-malware_security_and_brute-force_firewall Missing Authorization
anti-malware_security_and_brute-force_firewall_project anti-malware_security_and_brute-force_firewall Missing Authorization
The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.23.81 due to a missing capability check combined with an information exposure in several GOTMLS_* AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Affected: anti-malware_security_and_brute-force_firewall_project anti-malware_security_and_brute-force_firewall
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if
Red Hat
kernel: net/smc: fix warning in smc_rx_splice() when calling get_page()
vendor_redhat·2025-10-20
CVE-2025-40012 kernel: net/smc: fix warning in smc_rx_splice() when calling get_page()
kernel: net/smc: fix warning in smc_rx_splice() when calling get_page()
In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix warning in smc_rx_splice() when calling get_page()
smc_lo_register_dmb() allocates DMB buffers with kzalloc(), which are
later passed to get_page() in smc_rx_splice(). Since kmalloc memory is
not page-backed, this triggers WARN_ON_ONCE() in get_page() and prevents
holding a refcount on the buffer. This can lead to use-after-free if
the memory is released before splice_to_pipe() completes.
Use folio_alloc() instead, ensuring DMBs are page-backed and safe for
get_page().
WARNING: CPU: 18 PID: 12152 at ./include/linux/mm.h:1330 smc_rx_splice+0xaf8/0xe20 [smc]
CPU: 18 UID: 0 PID: 12152 Comm: smcapp Kdump: loaded Not tainted 6.17.0-rc3-11705-g
No detection rules found.
No public exploits indexed.
2025-10-29
Published
Exploited in the wild