- WordPress plugin flaw allows low-privileged users to access sensitive server files and credentials
- CVE-2025-11705 affects plugin versions 4.23.81 and earlier; patch released on October 15
- Around 50,000 sites remain vulnerable; administrators are advised to update immediately
A popular WordPress plugin with over 100,000 active installations had a bug that allowed bad actors to read any file on the server, including people’s emails and, in some cases, passwords as well.
Security researchers at Wordfence have reported a vulnerability in the Anti-Malware Security and Brute-Force Firewall plugin for WordPress. As the name suggests, this plugin allows site owners to scan for malware, protect their sites from brute force attacks, defend against known vulnerabilities, and much more.
However, the plugin lacked capacity control in any of its functions, which allowed low-privileged users to read arbitrary files on the server, including sensitive files such as wp-config.php which stores different credentials.
Fix available
In theory, bad actors could thus obtain people’s email addresses, hashed or plaintext passwords (depending on what is stored), and other private data.
The bug is now tracked as CVE-2025-11705 and has a severity score of 6.8/10 (medium) – a relatively low severity score, since attackers must be authenticated to abuse it, but sites with any type of membership or subscription, running the Anti-Malware Security plugin and Brute-Force Firewall, are considered vulnerable.
Versions 4.23.81 and earlier of the plugin are affected, it was specified.
The researchers reported their findings to the vendor on October 14, and a patch was released a day later on October 15. Version 2.23.83 fixes the bug by adding a proper check of user abilities via a new function. Since the patch was released, about half of users (around 50,000) have installed it, meaning there are still around 50,000 vulnerable websites.
As of press time, there was no word of exploitation in the wild, but vulnerabilities like this are often exploited months after the update. Therefore, website administrators are recommended to apply the patch as soon as possible.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
