Severity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
AV:N/AC:H/PR:N/UI:R matches reflected XSS requiring social engineering; S:C captures browser scope crossing; A:N as XSS does not cause availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Eli Anti-Malware Security and Brute-Force Firewall gotmls allows Reflected XSS.This issue affects Anti-Malware Security and Brute-Force Firewall: from n/a through <= 4.23.89.
AnalysisAI
Reflected cross-site scripting in the Anti-Malware Security and Brute-Force Firewall WordPress plugin (versions through 4.23.89) enables remote unauthenticated attackers to inject and execute arbitrary JavaScript in a victim's browser by tricking them into clicking a specially crafted URL. The CVSS scope change (S:C) indicates the attack crosses security boundaries, allowing script execution in the browser context beyond the plugin itself - enabling session theft, credential harvesting, or unauthorized admin actions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim must be a user with an active, authenticated session on the target WordPress site (most damaging if an administrator) and must click or be redirected to a crafted URL targeting the vulnerable plugin endpoint - exploitation cannot occur passively against users who do not interact with the malicious link. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 5.8 (Medium) accurately reflects the constrained real-world risk profile: AV:N confirms the attack is network-delivered, but AC:H indicates high attack complexity - reflecting XSS typically requires crafting a payload that bypasses any existing partial filtering and then successfully convincing a victim to click a malicious link. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a WordPress site running the vulnerable gotmls plugin version and constructs a URL containing a reflected XSS payload embedded in a vulnerable parameter. The attacker delivers the link to a logged-in WordPress administrator via phishing email or social media, and when the administrator clicks the link, the plugin reflects the unescaped payload into the HTML response, causing the administrator's browser to execute the injected script - potentially exfiltrating the admin's session cookie or silently creating a rogue administrator account. … |
| Remediation | Site administrators should update the Anti-Malware Security and Brute-Force Firewall plugin to any version released after 4.23.89 via the WordPress admin dashboard (Plugins → Updates). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.21.83 does not sanitise and escape some par
Authenticated PHP object injection in the WordPress 'Anti-Malware Security and Brute-Force Firewall' (GOTMLS) plugin thr
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43354