WordPress Security Plugin Ironically Contains Critical File-Read Flaw

Critical Arbitrary File Read Vulnerability (CVE-2025-11705) in 'Anti-Malware Security' WordPress Plugin Affects 100,000+ Sites

CRITICAL
November 18, 2025
5m read
VulnerabilityPatch Management

Related Entities

Other

CleanTalkWordfence

CVE Identifiers

CVE-2025-11705
CRITICAL
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1078Initial Access

Valid Accounts

T1083Discovery

File and Directory Discovery

T1552.004Credential Access

Credentials in Files

T1098.002Persistence

Add Account

Full Report

Executive Summary

In a case of security software being insecure, a critical vulnerability has been found in the Anti-Malware Security and Brute-Force Firewall (GOTMLS) plugin for WordPress. The flaw, tracked as CVE-2025-11705, is an arbitrary file reading vulnerability that affects over 100,000 websites. The vulnerability allows any authenticated user, regardless of their permission level (including basic 'Subscribers'), to read any file on the web server that is accessible to the web server process. This critically includes the wp-config.php file, which contains database credentials and authentication salts. Access to this file can lead to a complete compromise of the website. The issue was discovered by the CleanTalk research team, and users must update the plugin immediately.

Vulnerability Details

  • CVE ID: CVE-2025-11705
  • Vulnerability Type: Broken Access Control / Arbitrary File Read
  • Affected Component: GOTMLS_View_Quarantine AJAX action
  • Required Privileges: Any authenticated user (e.g., Subscriber)

The vulnerability exists because the AJAX function GOTMLS_View_Quarantine fails to perform proper capability checks. This function is intended for administrators to view quarantined files. However, the developers did not correctly restrict its access, making it available to any logged-in user. Furthermore, the function lacks proper input validation and path traversal protection. An attacker can manipulate the input to this function to specify an arbitrary file path on the server. The function will then read the contents of that file and return it in the HTTP response.

The most critical attack scenario is reading the wp-config.php file. This file contains:

  • Database name, username, and password.
  • WordPress unique keys and salts for authentication.

With this information, an attacker can connect directly to the website's database to steal or modify data, create new admin users, or use the authentication salts to forge login cookies.

Affected Systems

  • Product: Anti-Malware Security and Brute-Force Firewall (GOTMLS)
  • Affected Versions: All versions up to and including the latest unpatched version.
  • Status: A patched version has been released, and users must update.

Exploitation Status

The vulnerability details are public, making it highly likely that threat actors will begin scanning for and exploiting vulnerable websites. The low privilege requirement makes it easy to exploit; an attacker only needs to register a free subscriber account on a target site, a feature that is enabled on many blogs and forums.

Impact Assessment

The impact of exploiting CVE-2025-11705 is critical. By reading the wp-config.php file, an attacker gains the keys to the kingdom. This can lead to:

  • Full Database Compromise: Attackers can read, modify, or delete all data in the website's database, including user PII, orders, and posts.
  • Complete Site Takeover: By creating a new administrator account in the database, the attacker gains full control over the WordPress site.
  • Further Attacks: The compromised site can be used as a platform for malware distribution, phishing, or as a pivot point into the hosting environment.

The irony of a security plugin introducing such a severe vulnerability undermines user trust and highlights the importance of code quality and security audits for all software, especially security tools.

Cyber Observables for Detection

Type Value Description
URL Pattern /wp-admin/admin-ajax.php Monitor POST requests where the action parameter is GOTMLS_View_Quarantine. This is highly suspicious if initiated by a non-administrator.
Command Line Pattern action=GOTMLS_View_Quarantine&file=../../../../wp-config.php Look for path traversal sequences in the parameters of requests to admin-ajax.php.
Log Source Web Server Access Logs A low-privilege user successfully calling an admin-level AJAX action is a strong indicator of an authorization bypass attempt.

Detection Methods

  • Plugin Version Check: The most reliable way to identify vulnerable sites is to check the version of the GOTMLS plugin. Administrators should ensure they are running the latest patched version.
  • Log Analysis: Review admin-ajax.php access logs. Filter for requests with action=GOTMLS_View_Quarantine and inspect the user ID and role associated with the request. Any request from a user who is not an administrator is a sign of an exploit attempt. This is a form of D3FEND Protocol Analysis.
  • WAF Rules: A Web Application Firewall can be configured to block requests to admin-ajax.php that contain path traversal characters (../) in their parameters, which would block this specific exploit vector.

Remediation Steps

  1. Update Immediately: The only proper remediation is to update the 'Anti-Malware Security and Brute-Force Firewall' plugin to the latest version through the WordPress dashboard.
  2. Assume Compromise and Rotate Credentials: If you were running a vulnerable version, you must assume that your wp-config.php file has been compromised. Immediately rotate your database password, and all WordPress authentication keys and salts. This will invalidate all existing user sessions and database connections.
  3. Audit User Accounts: After rotating credentials, thoroughly audit all user accounts in your WordPress database for any unauthorized accounts, especially those with administrator privileges.
  4. Scan Website: Perform a full scan of your website files and database to look for any backdoors or malicious content that may have been planted by an attacker.

Timeline of Events

1
November 18, 2025
This article was published

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

Update the plugin to the latest patched version immediately.

Password Policies

M1027enterprise

If a compromise is suspected, immediately rotate all credentials stored in wp-config.php (database password, salts, and keys).

User Account Management

M1018enterprise

Regularly audit WordPress user accounts for any unauthorized additions, especially administrator accounts.

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

The most urgent action for any administrator of a site using the 'Anti-Malware Security' plugin is to perform a software update. This vulnerability is critical and easy to exploit. The update should be applied immediately via the WordPress dashboard. Following the update, it is not enough to assume safety. Because the flaw could have been exploited prior to patching, a full credential rotation must be performed. This includes changing the database password in wp-config.php and on the database server, as well as regenerating the WordPress salts and keys. This invalidates any data stolen via CVE-2025-11705.

Application Configuration Hardening

D3-ACHMaps to MITREM1054
D3FEND

As a general hardening measure, WordPress site configurations should be strengthened to limit the impact of such vulnerabilities. One key configuration is to disable open user registration if it is not essential for the site's function. This would prevent an attacker from easily creating the low-privilege 'Subscriber' account needed to exploit CVE-2025-11705. For sites that require registration, implementing email verification and CAPTCHA can raise the bar for attackers. Additionally, file permissions for wp-config.php should be hardened (e.g., chmod 400) so that it is only readable by the owner, not the web server process itself, which can mitigate some, but not all, file read vulnerabilities.

Web Application Firewall

D3-WAFMaps to MITREM1021
D3FEND

A Web Application Firewall (WAF) can provide an effective 'virtual patch' against CVE-2025-11705. A WAF rule should be created to inspect all requests to wp-admin/admin-ajax.php. The rule should specifically look for requests where the action parameter is GOTMLS_View_Quarantine and the request contains path traversal sequences like ../ in the file parameter. By blocking these specific requests, the WAF prevents the exploit from reaching the vulnerable plugin code. This is a crucial layer of defense that can protect a site during the window between vulnerability disclosure and the application of a patch.

Sources & References

Critical Vulnerability CVE-2025-11705: Arbitrary File Reading in Anti-Malware Security and Brute-Force Firewall
CleanTalk (cleantalk.org) November 18, 2025
Security Plugin for WordPress Found to Have Critical File Reading Vulnerability
Fictional Source 2 (example.com) November 18, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

WordPressVulnerabilityCVE-2025-11705Arbitrary File ReadPatch ManagementGOTMLS

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next