- WordPress Plugin Flaw Allows Low-Privilege Users to Access Sensitive Server Credentials and Files
- CVE-2025-11705 affects plugin versions 4.23.81 and earlier; patch released October 15
- Some 50,000 sites remain vulnerable; Administrators are urged to update immediately.
A popular WordPress plugin with over 100,000 active installations had a bug that allowed threat actors to read any file on the server, including people’s emails and, in some cases, passwords as well.
Security researchers at Wordfence reported a vulnerability in the Anti-Malware Security and Brute-Force Firewall plugin for WordPress. As the name suggests, this plugin allows site owners to scan for malware, protect their sites against brute force attacks, defend against known flaws, and more.
However, the plugin was missing capability checks in one of its functions, allowing low-privileged users to read arbitrary files on the server, including sensitive files like wp-config.php that stores different credentials.
Patch available
In theory, malicious actors could obtain people’s email addresses, hashed or plaintext passwords (depending on what is stored), and other private data this way.
The bug is now tracked as CVE-2025-11705 and has a severity score of 6.8/10 (medium), a relatively low severity score as attackers must authenticate in order to abuse it, but sites with any type of membership or subscription, running the Anti-Malware Security and Brute-Force Firewall plugin, are considered vulnerable.
Versions 4.23.81 and earlier of the plugin were said to be affected.
The researchers reported their findings to the vendor on October 14, and a patch was released a day later, on October 15. Version 2.23.83 fixes the bug by adding a proper verification of user ability via a new feature. Since the patch was released, about half of users (around 50,000) have installed it, meaning there are still around 50,000 vulnerable websites.
At the time of this publication, there were no exploit news in the wild, but vulnerabilities like this are often exploited months after patching. Therefore, website administrators are recommended to apply the fix as soon as possible.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
