CVE-2025-11705
📋 TL;DR
This vulnerability in the Anti-Malware Security and Brute-Force Firewall WordPress plugin allows authenticated attackers with Subscriber-level access or higher to read arbitrary files on the server. Attackers can access sensitive information like configuration files, credentials, or other private data. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Anti-Malware Security and Brute-Force Firewall WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain access to sensitive files like wp-config.php containing database credentials, SSH keys, or other configuration files, leading to complete site compromise, data theft, or lateral movement within the server environment.
Likely Case
Attackers read WordPress configuration files to obtain database credentials, potentially leading to database access, data exfiltration, or privilege escalation within the WordPress installation.
If Mitigated
With proper access controls and monitoring, unauthorized file access attempts are detected and blocked before sensitive information is exposed.
🎯 Exploit Status
Requires authenticated access (Subscriber role minimum). Exploitation involves sending crafted AJAX requests to vulnerable GOTMLS_* endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 4.23.82 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3379118/gotmls
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Anti-Malware Security and Brute-Force Firewall'. 4. Click 'Update Now' if available, or download latest version from WordPress repository. 5. Activate updated plugin.
🔧 Temporary Workarounds
Disable vulnerable AJAX endpoints
allTemporarily block access to vulnerable GOTMLS_* AJAX actions via .htaccess or web server configuration
# Add to .htaccess for Apache:
RewriteCond %{QUERY_STRING} action=GOTMLS_ [NC]
RewriteRule .* - [F,L]
# Add to nginx config:
location ~* \.php$ {
if ($query_string ~* "action=GOTMLS_") {
return 403;
}
}
🧯 If You Can't Patch
- Disable the plugin completely via WordPress admin or by renaming plugin directory
- Implement strict access controls to limit Subscriber role creation and monitor for suspicious file access patterns
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Anti-Malware Security and Brute-Force Firewall' version. If version is 4.23.81 or lower, system is vulnerable.Check Version:
wp plugin list --name='Anti-Malware Security and Brute-Force Firewall' --field=versionVerify Fix Applied:
Verify plugin version shows 4.23.82 or higher in WordPress admin panel. Test that GOTMLS_* AJAX endpoints now require proper authorization.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-admin/admin-ajax.php with action parameter containing 'GOTMLS_' patterns
- Unusual file access patterns from authenticated users with low privileges
- Multiple 403 errors following workaround implementation
Network Indicators:
- POST requests to admin-ajax.php with GOTMLS_* actions from unexpected IPs
- Unusual outbound data transfers following file read attempts
SIEM Query:
source="web_access_logs" AND uri="/wp-admin/admin-ajax.php" AND query="*action=GOTMLS_*"