On October 3rd, 2025, we received a submission for an Arbitrary File Read vulnerability in Anti-Malware Security and Brute-Force Firewall, a WordPress plugin with more than 100,000 active installations. This vulnerability makes it possible for an authenticated attacker, with subscriber-level permissions or higher, to read arbitrary files on the server, which may contain sensitive information.
Props to Dmitrii Ignatyev who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $960.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on October 14, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on November 13, 2025.
We were not able to find any contact information for the vendor, so we escalated the vulnerability to the WordPress.org Security Team which forwarded the report to the vendor on October 14, 2025. After that, the developer released a patch on October 15, 2025.
We urge users to update their sites with the latest patched version of Anti-Malware Security and Brute-Force Firewall, version 4.23.83 at the time of this publication, as soon as possible.
π’ Calling all Vulnerability Researchers and Bug Bounty Hunters! π’
πΒ Operation: Maximum Impact Challenge! Now through November 10, 2025, earn 2X bounty rewards for all in-scope submissions in software with at least 5,000 active installs and fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big!
π The LFInder Challenge: Refine your LFI hunting skills with an expanded scope. Now through November 24, 2025, all LFI vulnerabilities in software with at least 25 active installs are considered in-scope for all researchers, regardless of researcher tier, AND earn a 30% bonus on all Local File Inclusion vulnerability submissions not already increased by another promotion.
Vulnerability Summary from Wordfence Intelligence
The Anti-Malware Security and Brute-Force Firewall plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 4.23.81 due to a missing capability check combined with an information exposure in several GOTMLS_* AJAX actions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Technical Analysis
The affected software is a WordPress security plugin, which includes a malware scanner, brute force protection, and many other features.
Examining the code reveals that the plugin uses the GOTMLS_ajax_scan() function to display the scan result. The function contains the following code snippets, which displays the contents of the file:
$file = GOTMLS_decode($_GET["GOTMLS_scan"]);
} elseif (file_exists($file)) {
$real_file = realpath($file);
if (is_file($real_file) && ($filesize = filesize($real_file)))
GOTMLS_load_contents(file_get_contents($real_file));
Although this function is nonce protected, the nonce can unfortunately be obtained by authenticated attackers in the vulnerable version of the plugin.
The most significant problem and vulnerability is caused by the fact that there are no capability checks in the AJAX function. This made it possible for authenticated users, such as subscribers, to invoke the AJAX action and read any arbitrary file on the server, including the siteβs wp-config.php file, which contains the database credentials as well as keys and salts for cryptographic security.
The Patch
The vendor of the plugin patched this issue by adding the GOTMLS_kill_invalid_user() function to the GOTMLS_ajax_scan() function, which includes a capability check.
function GOTMLS_ajax_scan() {
$gt = ">"; // This local variable never changes
$lt = "<"; // This local variable never changes
GOTMLS_kill_invalid_user();
if (GOTMLS_get_nonce()) {
function GOTMLS_kill_invalid_user($pre = "n//Permission Error: ") {
if ($return = GOTMLS_user_can())
return $return;
else
die(sprintf(__("%s Invalid User Authentication!",'gotmls'), $pre));
}
function GOTMLS_user_can() {
if (is_multisite())
$GLOBALS["GOTMLS"]["tmp"]["settings_array"]["user_can"] = "manage_network";
elseif (!isset($GLOBALS["GOTMLS"]["tmp"]["settings_array"]["user_can"]) || $GLOBALS["GOTMLS"]["tmp"]["settings_array"]["user_can"] == "manage_network")
$GLOBALS["GOTMLS"]["tmp"]["settings_array"]["user_can"] = "activate_plugins";
if (current_user_can($GLOBALS["GOTMLS"]["tmp"]["settings_array"]["user_can"]))
return true;
else
return false;
}
Disclosure Timeline
October 3, 2025 β We received the submission for the Arbitrary File Read vulnerability in Anti-Malware Security and Brute-Force Firewall via the Wordfence Bug Bounty Program.
October 13, 2025 β We validated the report and confirmed the proof-of-concept exploit.
October 14, 2025 β Wordfence Premium, Care, and Response users received a firewall rule to provide added protection against any exploits that may target this vulnerability.
October 14, 2025 β We escalated the vulnerability to the WordPress.org Security Team and sent over the full disclosure details.
October 14, 2025 β The WordPress.org Security Team acknowledged the report.
October 15, 2025 β The fully patched version of the plugin, 4.23.83, is released.
November 13, 2025 β Wordfence Free users will receive the same protection.
Conclusion
In this blog post, we detailed an Arbitrary File Read vulnerability within the Anti-Malware Security and Brute-Force Firewall plugin affecting versions 4.23.81 and earlier. This vulnerability allows threat actors with subscriber access to read arbitrary files, which can contain sensitive information. The vulnerability has been addressed in version 4.23.83 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of Anti-Malware Security and Brute-Force Firewall as soon as possible.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on October 14, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on November 13, 2025.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure.
The post 100,000 WordPress Sites Affected by Arbitrary File Read Vulnerability in Anti-Malware Security and Brute-Force Firewall WordPress Plugin appeared first on Wordfence.
