- WordPress plugin flaw lets low-privileged users access sensitive server files and credentials
- CVE-2025-11705 affects plugin versions 4.23.81 and earlier; patch released October 15th
- About 50,000 websites remain vulnerable; administrators are encouraged to update immediately
A popular WordPress plugin with more than 100,000 active installations contained a flaw that allowed threat actors to read any file on the server—including people’s emails and, in some cases, passwords.
Security researchers at Wordfence reported a vulnerability in the Anti-Malware Security and Brute-Force Firewall plugin for WordPress. As the name suggests, this plugin allows site owners to scan for malware, protect their sites from brute-force attacks, defend against known bugs, and more.
However, the plugin lacked capability checks in one of its functions, which allowed low-privileged users to read arbitrary files on the server, including sensitive files such as wp-config.php that store various credentials.
Patch available
In theory, this way malicious actors could get hold of people’s email addresses, hashed or cleartext passwords (depending on what is stored) and other private data.
The flaw is now tracked as CVE-2025-11705 and has a severity score of 6.8/10 (medium) – a relatively low severity score as attackers need to be authorized to exploit it, but sites with any kind of membership or subscription running the Anti-Malware Security and Brute-Force Firewall plugin are considered vulnerable.
Versions 4.23.81 and earlier of the plugin are affected, it said.
The researchers reported their findings to the vendor on October 14, and a patch was issued a day later, on October 15. Version 2.23.83 fixes the bug by adding a proper user function check via a new function. Since the release of the patch, about half of the users (about 50,000) have installed it, which means that there are still about 50,000 vulnerable websites.
At press time, there was no word of exploitation in the wild, but vulnerabilities like this are often exploited months after the patch. Therefore, site administrators are advised to apply the fix as soon as possible.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
