WordPress security plugin exposes private data to site subscribers www.bleepingcomputer.com/news/secu…

The Anti-Malware Security and Brute-Force Firewall plugin for WordPress, installed on over 100,000 sites, has a vulnerability that allows subscribers to read any file on the server, potentially exposing private information.

The plugin provides malware scanning and protection against brute-force attacks, exploitation of known plugin flaws, and against database injection attempts.

Identified as CVE-2025-11705, the vulnerability was reported to Wordfence by researcher Dmitrii Ignatyev and affects versions of the plugin 4.23.81 and earlier.