The Anti-Malware Security and Brute-Force Firewall plugin for WordPress has a vulnerability that enables attackers to read the contents of any files on the server—including those containing sensitive information.
The plugin provides protection against malware, brute force attacks, database injection attempts, and the exploitation of known plugin flaws. If this wasn’t worrying enough, it’s been installed on over 100,000 WordPress sites.
Following investigation, the vulnerability has been assigned a CVSS of 6.5, classifying it as medium severity. The flaw affects all versions of the plugin up to and including 4.23.81, and it enables authenticated users with subscriber-level permissions or higher to read the contents of arbitrary files on the server, which could contain sensitive information.
For example, the “wp-config .php” configuration file stores the database name and credentials. With access to this file, an attacker could exfiltrate users’ email addresses, password hashes, posts, and other sensitive data.
Dmitrii Ignatyev, the researcher behind the discovery, reported the vulnerability (tracked as CVE-2025-11705) to Wordfence earlier this month via the company’s bug bounty program.
“Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program,” said István Márton, WordPress Developer at Lana Codes, in an advisory.
“We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.”
Urgent Remediation Recommended
On October 14th, Wordfence provided Wordfence Premium, Wordfence Care, and Wordfence Response users with a firewall rule to protect against exploits targeting the vulnerability. Sites using the free version of Wordfence will receive the same protection from November 13th.
At the same time, Wordfence reported the flaw to the plugin’s vendor, Eli, via the WordPress.org Security Team. Following receipt of that report, the developer released a patch (version 4.23.83), which Wordfence urges users to install as soon as possible.
