CVE-2025-11705

MEDIUM
2025-10-29 [email protected]
Information Disclosure WordPress Authentication Bypass
6.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 08, 2026 - 19:39 vuln.today
CVE Published
Oct 29, 2025 - 05:15 nvd
MEDIUM 6.5

DescriptionNVD

The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.23.81 due to a missing capability check combined with an information exposure in several GOTMLS_* AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

AnalysisAI

Arbitrary file read vulnerability in Anti-Malware Security and Brute-Force Firewall WordPress plugin (versions up to 4.23.81) allows authenticated Subscriber-level users to read sensitive files from the server via unprotected AJAX endpoints. The vulnerability combines missing capability checks with information exposure in multiple GOTMLS_* AJAX actions, enabling attackers with minimal WordPress privileges to access arbitrary file contents including configuration files and credentials. No public exploit code has been confirmed at this time, though the vulnerability is trivial to exploit given the low authentication barrier.

Share

CVE-2025-11705 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy