A critical vulnerability (CVE-2025-11705) was discovered in the Anti-Malware Security and Brute-Force Firewall WordPress plugin, affecting versions 4.23.81 and earlier. The flaw stemmed from missing capability checks, allowing low-privileged authenticated users (e.g., subscribers or members) to read arbitrary server files, including sensitive data like wp-config.php (containing database credentials, security keys, and other secrets).The exposure risk included email addresses, hashed/plaintext passwords, and other private user data stored on the server. While no active exploitation was reported at the time of disclosure, the vulnerability posed a high risk for credential theft, unauthorized access, or further attacks if abused. A patch (version 4.23.83) was released on October 15, but ~50,000 of the 100,000+ active installations remained unpatched, leaving them vulnerable.The bug received a CVSS score of 6.8 (Medium), though its real-world impact could escalate if attackers chained it with other exploits. WordPress admins were urged to update immediately to prevent potential breaches, data leaks, or account takeovers. The plugin’s widespread use amplified the risk, particularly for sites with membership systems or stored user credentials.
TPRM report: https://www.rankiteo.com/company/defiant
"id": "def3292532103025",
"linkid": "defiant",
"type": "Vulnerability",
"date": "10/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"{'affected_entities': [{'industry': 'Cross-industry (any sector using '
'WordPress)',
'location': 'Global',
'name': 'WordPress Sites Using Anti-Malware Security '
'and Brute-Force Firewall Plugin',
'size': '100,000+ active installations (50,000+ remain '
'vulnerable)',
'type': ['Websites',
'Small/Medium Businesses',
'E-commerce Platforms',
'Membership Sites']}],
'attack_vector': ['Network',
'Authentication Required',
'Low Privilege Escalation'],
'customer_advisories': ['Users of affected sites should change passwords if '
'plaintext storage was used',
'Site owners should notify users of potential data '
'exposure if exploitation is suspected'],
'data_breach': {'data_encryption': 'Partial (hashed passwords, but plaintext '
'possible)',
'data_exfiltration': 'Possible (if exploited)',
'file_types_exposed': ['wp-config.php',
'Log files',
'Database backups',
'Other server-side files'],
'personally_identifiable_information': ['Email addresses',
'Potentially '
'passwords'],
'sensitivity_of_data': 'High (credentials, server '
'configurations)',
'type_of_data_compromised': ['Credentials',
'Configuration Files',
'User PII (emails)']},
'date_detected': '2025-10-14',
'date_publicly_disclosed': '2025-10-15',
'date_resolved': '2025-10-15',
'description': 'A critical vulnerability (CVE-2025-11705) in the Anti-Malware '
'Security and Brute-Force Firewall WordPress plugin (versions '
'≤4.23.81) allowed low-privileged authenticated users to read '
'arbitrary server files, including sensitive credentials like '
'those in wp-config.php. The flaw, caused by missing '
'capability checks, exposed email addresses, hashed/plaintext '
'passwords, and other private data. A patch (v2.23.83) was '
'released on October 15, 2025, but ~50,000 of the 100,000+ '
'active installations remain unpatched and vulnerable.',
'impact': {'brand_reputation_impact': 'High (due to exposure of sensitive '
'credentials and potential for '
'downstream attacks)',
'data_compromised': ['Email addresses',
'Passwords (hashed/plaintext)',
'Server configuration files (e.g., '
'wp-config.php)',
'Private site data'],
'identity_theft_risk': 'Moderate (if plaintext passwords were '
'stored)',
'operational_impact': 'Potential account takeovers, further '
'privilege escalation, or lateral movement '
'within compromised systems',
'systems_affected': 'WordPress websites running Anti-Malware '
'Security and Brute-Force Firewall plugin '
'(≤4.23.81)'},
'investigation_status': 'Ongoing (no confirmed exploitation in the wild as of '
'disclosure, but risk remains high for unpatched '
'systems)',
'lessons_learned': ['Even security plugins can introduce critical '
'vulnerabilities if proper access controls are missing.',
'Low-severity CVSS scores (e.g., 6.8) can still pose '
'significant real-world risks if exploited at scale.',
'Delayed patching leaves systems exposed to opportunistic '
'attacks, especially for widely used plugins.',
'Authentication requirements do not eliminate risk if '
'privilege escalation paths exist.'],
'motivation': ['Opportunistic', 'Data Theft', 'Credential Harvesting'],
'post_incident_analysis': {'corrective_actions': ['Added capability checks in '
'plugin function (v2.23.83)',
'Public disclosure to '
'accelerate patching',
'Recommendations for '
'WordPress hardening (e.g., '
'disabling file editing, '
'restricting admin access)'],
'root_causes': ['Missing capability checks in a '
'plugin function (CWE-285: '
'Improper Authorization)',
'Overprivileged low-level user '
'roles in WordPress ecosystems',
'Delayed patch adoption due to '
'lack of automated updates or '
'awareness']},
'recommendations': ['Immediately update the Anti-Malware Security and '
'Brute-Force Firewall plugin to version 2.23.83 or later.',
'Audit WordPress installations for other plugins with '
'similar capability check flaws.',
'Enforce least-privilege access controls for all user '
'roles, especially on membership/subscription sites.',
'Monitor for unauthorized file access attempts in server '
'logs.',
'Consider deploying a Web Application Firewall (WAF) to '
'block arbitrary file read attempts.',
'Educate users on the risks of storing plaintext '
'passwords or sensitive data in WordPress '
'configurations.'],
'references': [{'source': 'Wordfence (Security Researchers)'},
{'source': 'BleepingComputer'},
{'source': 'TechRadar Pro'}],
'response': {'communication_strategy': ['Vendor advisory',
'Media coverage (e.g., '
'BleepingComputer, TechRadar)'],
'containment_measures': ['Patch release (v2.23.83) with '
'capability checks'],
'incident_response_plan_activated': 'Yes (by plugin vendor)',
'remediation_measures': ['Urgent update advisory for all users',
'Public disclosure to raise awareness'],
'third_party_assistance': ['Wordfence (security researchers)']},
'stakeholder_advisories': ['Plugin users urged to update immediately',
'Developers advised to review capability checks in '
'custom code'],
'title': 'WordPress Anti-Malware Security Plugin Vulnerability '
'(CVE-2025-11705) Exposes Sensitive Server Files',
'type': ['Vulnerability', 'Unauthorized Access', 'Information Disclosure'],
'vulnerability_exploited': {'affected_versions': '≤4.23.81',
'cve_id': 'CVE-2025-11705',
'cvss_score': 6.8,
'cvss_severity': 'Medium',
'description': 'Missing capability checks in a '
'plugin function allowed arbitrary '
'file read operations by '
'low-privileged users.',
'patched_version': '2.23.83'}}