WordPress Anti-Malware Plugin Flaw Exposes 100K Sites To An Alarming Security Threat

A new threat in is the wild affecting sites that run WordPress, a popular content management system. Wordfence, a company that focuses on security research in the WordPress ecosystem, is reporting that a vulnerability is affecting the Anti-Malware Security and Brute-Force Firewall plugin that’s currently deployed on over 100,000 websites.

The vulnerability, which is found on version 4.23.81 and earlier, has been designated CVE-2025-11705. It was submitted to Wordfence’s bug bounty program by security researcher Dmitrii Ignatyev, which netted him an award of $960.


Its presence is due to an error in the plugin’s code that fails to properly complete checks for one of its functions. It can allow an attacker to abuse the function to gain access to a site’s configuration file, which can contain authentication data for databases and other critical information. This gives a threat actor direct access to information stored on a site’s server, including user emails, posts and passwords.

However, the threat posed by this vulnerability is dampened by the fact that an attacker needs to have some form of authentication in order to access it. This typically comes from websites that offer users a way to sign up for accounts that offer extra functionality, such as leaving comments on articles or blog posts.

Site administrators who run WordPress should check their currently installed plugins to see if they are using Anti-Malware Security and Brute-Force Firewall. If they do, they should update to the latest version as soon as possible. While Wordfence hasn’t found the vulnerability being actively exploited, now that it’s public it’s only a matter of time until malicious individuals or groups take notice and begin to try and take advantage.