- WordPress plugin flaw let low-privileged customers entry delicate server recordsdata and credentials
- CVE-2025-11705 impacts plugin variations 4.23.81 and earlier; patch launched October 15
- About 50,000 websites stay susceptible; admins urged to replace instantly
A well-liked WordPress plugin with greater than 100,000 energetic installations carried a bug that allowed risk actors to learn any file on the server – together with folks’s emails and in some circumstances, passwords, too.
Safety researchers at Wordfence reported a vulnerability within the Anti-Malware Safety and Brute-Drive Firewall plugin for WordPress. Because the title suggests, this plugin permits web site homeowners to scan for malware, defend their websites towards brute-force assaults, defend towards identified flaws, and extra.
Nonetheless, the plugin was lacking functionality checks in certainly one of its capabilities, which allowed low-privileged customers to learn arbitrary recordsdata on the server, together with delicate recordsdata reminiscent of wp-config.php that shops totally different credentials.
Patch obtainable
In idea, malicious actors may this manner receive folks’s e-mail addresses, hashed or plaintext passwords (relying on what’s saved), and different non-public knowledge.
The bug is now tracked as CVE-2025-11705 and has a severity rating of 6.8/10 (medium) – a comparatively low severity rating, since attackers should be authenticated with a view to abuse it, however websites with any form of membership or subscription, working the Anti-Malware Safety and Brute-Drive Firewall plugin, are thought-about susceptible.
Variations 4.23.81 and earlier of the plugin are affected, it was stated.
The researchers reported their findings to the seller on October 14, and a patch was issued a day later, on October 15. Model 2.23.83 addresses the bug by including a correct person functionality test by way of a brand new operate. Because the launch of the patch, roughly half of the customers (round 50,000) put in it, that means there are nonetheless round 50,000 susceptible web sites.
Signal as much as the TechRadar Professional e-newsletter to get all the highest information, opinion, options and steerage what you are promoting must succeed!
At press time, there was no phrase of exploitation within the wild, however vulnerabilities like this one typically get exploited months after the patch. Subsequently, web site admins are advisable to use the repair as quickly as doable.
Through BleepingComputer
➡️ Read our full guide to the best antivirus
1. Greatest general:
Bitdefender Complete Safety
2. Greatest for households:
Norton 360 with LifeLock
3. Greatest for cell:
McAfee Cell Safety
Follow TechRadar on Google News andadd us as a preferred source to get our professional information, evaluations, and opinion in your feeds. Be sure that to click on the Observe button!
And naturally you too can follow TechRadar on TikTok for information, evaluations, unboxings in video kind, and get common updates from us on WhatsApp too.