CVE-2025-11705

Vulnerability

Analysis

The Anti-Malware Security and Brute-Force Firewall plugin for WordPress, installed on over 100,000 sites, contains a broken authorization chain in its quarantine system [1]. The plugin exposes several GOTMLS_* AJAX actions that lack proper capability checks. Critically, the public-facing GOTMLS_View_Quarantine endpoint leaks a valid GOTMLS_mt token to any authenticated user, including those with only Subscriber-level access [1].

Exploitation

Scenario

An attacker who has authenticated to the WordPress site (e.g., as a Subscriber) can first obtain the GOTMLS_mt token from the GOTMLS_View_Quarantine endpoint. With this token, they can then invoke the GOTMLS_scan AJAX action, which does not enforce additional permissions, to read arbitrary files on the server [1]. No additional privileges beyond a Subscriber account are required.

Impact

Successful exploitation allows an attacker to read the contents of arbitrary files, including sensitive configuration files such as wp-config.php. This can expose database credentials, salts, and other secrets, leading to full site compromise [1]. The same token can also be reused in other actions like GOTMLS_empty_trash, creating an additional integrity risk to quarantine records [1].

Mitigation

The vulnerability affects all versions up to and including 4.23.81. Users are advised to update the plugin to the latest patched version as soon as it becomes available. No official patch release date has been announced, but a proof-of-concept has been published, increasing the risk of exploitation [1].