cbcvebase.
CVE-2025-11705
published 2025-10-29

CVE-2025-11705: The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.23.81 due…

PriorityP279medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.57%
43.0th percentile
The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.23.81 due to a missing capability check combined with an information exposure in several GOTMLS_* AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Affected

3 ranges
VendorProductVersion rangeFixed in
linuxlinux_kernel>= 6.10.0 < 6.12.506.12.50
linuxlinux_kernel>= 6.13.0 < 6.16.106.16.10
scheeelianti-malware_security_and_brute-force_firewall<= 4.23.81

Detection & IOCsextracted from sources · hover to see the quote

  • Vulnerability is triggered via AJAX actions prefixed with GOTMLS_* — monitor for authenticated low-privileged (Subscriber-level) requests invoking these AJAX actions, particularly GOTMLS_ajax_scan()
  • Watch for authenticated requests to wp-admin/admin-ajax.php with action parameters matching GOTMLS_* from Subscriber-level or low-privileged accounts, especially targeting sensitive file paths such as wp-config.php
  • Flag any exploitation of several GOTMLS_* AJAX actions by authenticated users with Subscriber-level access and above as potential arbitrary file read attempts
  • ·Exploitation requires authentication (minimum Subscriber-level); sites that do not allow user registration or subscriptions are at significantly reduced risk
  • ·As of public disclosure, no in-the-wild exploitation has been confirmed by Wordfence, but public disclosure may attract attacker attention
  • ·Approximately 50,000 sites had not yet applied the patch as of the time of reporting, indicating a large vulnerable population remains

CVSS provenance

nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vulncheck6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.