The CleanTalk research team discovered a critical vulnerability in the popular WordPress plugin “Anti-Malware Security and Brute-Force Firewall” (GOTMLS), installed on over 100,000 websites. CVE-2025-11705 allows attackers with minimal privileges (Subscriber level) to read arbitrary files on the server, including the critical wp-config.php file, which contains database credentials and secret keys.
This issue was independently confirmed by multiple parties, including Wordfence, and assigned CVE-2025-11705.
Problem Description
The vulnerability is a classic authorization breach chain involving token leakage and cross-context reuse. The main issue is that the GOTMLS_View_Quarantine AJAX endpoint displays the quarantine list to any authorized user without checking access rights or validating nonce tokens.
Summary of the Vulnerability
The plugin exposes an internal AJAX endpoint, GOTMLS_View_Quarantine, to any authenticated user, without performing any capability checks or verifying a security nonce.
When this endpoint renders the quarantine interface, it embeds a valid GOTMLS_mt token into HTML links.
Because other privileged AJAX handlers — such as:
- GOTMLS_scan
- GOTMLS_empty_trash
— rely only on the leaked token and do not enforce current_user_can(…), a low-privileged user (e.g., Subscriber) can:
✔ Reuse the leaked token
✔ Trigger GOTMLS_scan
✔ Supply an arbitrary file path
✔ Receive the contents of that file
This includes highly sensitive files like:
- wp-config.php
- credential-containing logs
- backup files
- environment configuration
Additionally, the same token works with GOTMLS_empty_trash, allowing the attacker to delete quarantine records, effectively tampering with detection artifacts.
Affected versions
The vulnerability has been confirmed in version 4.23.81 and earlier of the Anti-Malware Security and Brute-Force Firewall plugin.
The developers have already released a plugin update that addresses this issue. Users should update to the latest version.
CleanTalk Research Report:
https://research.cleantalk.org/cve-2025-11705/
Leave a Reply