The WordPress Anti-Malware Security and Brute-Force Firewall plugin has a vulnerability (CVE-2025-11705) that could allow low-privileged users to read sensitive files and access private data. Although not critical, it affects over 50,000 sites, and a recent update has addressed the issue. #Wordfence #CVE-2025-11705
Keypoints
- The vulnerability impacts the WordPress plugin used on over 100,000 sites for malware protection.
- It stems from missing capability checks in the AJAX request handler, allowing file reading by low-privileged users.
- Exploiting the flaw can lead to exposure of sensitive data like database credentials and user information.
- Wordfence released a patch (version 4.23.83) to fix the issue by adding proper user capability verification.
- Despite no signs of active exploitation, users are advised to update the plugin promptly to prevent potential attacks.