This popular WordPress security plugin has a worrying flaw which exposed user data

News
By published

An authenticated WordPress user could read almost any file on the server

WordPress logo on mobile
(Image credit: Shutterstock)
  • WordPress plugin flaw let low-privileged users access sensitive server files and credentials
  • CVE-2025-11705 affects plugin versions 4.23.81 and earlier; patch released October 15
  • About 50,000 sites remain vulnerable; admins urged to update immediately

A popular WordPress plugin with more than 100,000 active installations carried a bug that allowed threat actors to read any file on the server - including people’s emails and in some cases, passwords, too.

Security researchers at Wordfence reported a vulnerability in the Anti-Malware Security and Brute-Force Firewall plugin for WordPress. As the name suggests, this plugin allows site owners to scan for malware, protect their sites against brute-force attacks, defend against known flaws, and more.

However, the plugin was missing capability checks in one of its functions, which allowed low-privileged users to read arbitrary files on the server, including sensitive files such as wp-config.php that stores different credentials.

Patch available

In theory, malicious actors could this way obtain people’s email addresses, hashed or plaintext passwords (depending on what’s stored), and other private data.

The bug is now tracked as CVE-2025-11705 and has a severity score of 6.8/10 (medium) - a relatively low severity score, since attackers need to be authenticated in order to abuse it, but sites with any kind of membership or subscription, running the Anti-Malware Security and Brute-Force Firewall plugin, are considered vulnerable.

Versions 4.23.81 and earlier of the plugin are affected, it was said.

The researchers reported their findings to the vendor on October 14, and a patch was issued a day later, on October 15. Version 2.23.83 addresses the bug by adding a proper user capability check via a new function. Since the release of the patch, roughly half of the users (around 50,000) installed it, meaning there are still around 50,000 vulnerable websites.

At press time, there was no word of exploitation in the wild, but vulnerabilities like this one often get exploited months after the patch. Therefore, website admins are recommended to apply the fix as soon as possible.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.