Vulnerabilities and security researches forgotmls gotmls

May 01, 2026

CVE, Research URL: CVE-2026-39478
Home page URL: Security reports for Anti-Malware Security and Brute-Force Firewall
Application: Anti-Malware Security and Brute-Force Firewall
Date: -
Research Description: Anti-Malware Security and Brute-Force Firewall [gotmls] < 4.23.88 CVE-2026-39478
Affected versions: max 4.23.88.
Status: vulnerable

Dec 10, 2025

CVE, Research URL: CVE-2025-11705
Home page URL: Security reports for Anti-Malware Security and Brute-Force Firewall
Application: Anti-Malware Security and Brute-Force Firewall
Date: Oct 29, 2025
Research Description: The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.23.81 due to a missing capability check combined with an information exposure in several GOTMLS_* AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Affected versions: max 4.23.83.
Status: vulnerable

Jun 06, 2024

CVE, Research URL: CVE-2022-2599
Home page URL: Security reports for Anti-Malware Security and Brute-Force Firewall
Application: Anti-Malware Security and Brute-Force Firewall
Date: Aug 29, 2022
Research Description: The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.21.83 does not sanitise and escape some parameters before outputting them back in an admin dashboard, leading to Reflected Cross-Site Scripting
Affected versions: max 4.21.83.
Status: vulnerable

CVE, Research URL: CVE-2021-25101
Home page URL: Security reports for Anti-Malware Security and Brute-Force Firewall
Application: Anti-Malware Security and Brute-Force Firewall
Date: Feb 21, 2022
Research Description: The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.20.94 does not sanitise and escape the POST data before outputting it back in attributes of an admin page, leading to a Reflected Cross-Site scripting. Due to the presence of specific parameter value, available to admin users, this can only be exploited by an admin against another admin user.
Affected versions: max 4.20.94.
Status: vulnerable

CVE, Research URL: -
Home page URL: Security reports for Anti-Malware Security and Brute-Force Firewall
Application: Anti-Malware Security and Brute-Force Firewall
Date: Jan 16, 2023
Research Description: Rejected reason: This issue does not bear any security risk as it's only exploitable by users with administrator or super-administrator roles, who can already do what they want on their site.
Affected versions: max 1.2.07.20.
Status: vulnerable

CVE, Research URL: CVE-2022-0953
Home page URL: Security reports for Anti-Malware Security and Brute-Force Firewall
Application: Anti-Malware Security and Brute-Force Firewall
Date: Apr 25, 2022
Research Description: The Anti-Malware Security and Brute-Force Firewall WordPress plugin before 4.20.96 does not sanitise and escape the QUERY_STRING before outputting it back in an admin page, leading to a Reflected Cross-Site Scripting in browsers which do not encode characters
Affected versions: max 4.15.20.
Status: vulnerable

CVE, Research URL: CVE-2024-22144
Home page URL: Security reports for Anti-Malware Security and Brute-Force Firewall
Application: Anti-Malware Security and Brute-Force Firewall
Date: Apr 25, 2024
Research Description: Improper Control of Generation of Code ('Code Injection') vulnerability in Eli Scheetz Anti-Malware Security and Brute-Force Firewall gotmls allows Code Injection.This issue affects Anti-Malware Security and Brute-Force Firewall: from n/a through 4.21.96.
Affected versions: max 4.23.56.
Status: vulnerable