CVE-2025-11705 is a vulnerability classified under CWE-862 (Missing Authorization) found in the scheeeli Anti-Malware Security and Brute-Force Firewall plugin for WordPress. The issue stems from the plugin's failure to enforce proper capability checks on several AJAX endpoints prefixed with GOTMLS_ that handle requests from authenticated users. Specifically, users with Subscriber-level privileges or higher can exploit these endpoints to read arbitrary files on the hosting server. This arbitrary file read vulnerability allows attackers to access sensitive server files such as configuration files, database credentials, or other protected data stored on the server. The vulnerability affects all plugin versions up to and including 4.23.81. Exploitation requires authentication but no additional user interaction, and the attack vector is network-based (remote). The CVSS 3.1 score of 6.5 reflects a medium severity, with a high impact on confidentiality but no impact on integrity or availability. No patches or exploit code are currently publicly available, and no active exploitation has been reported. The flaw is significant because WordPress is widely used, and this plugin is designed to enhance security, ironically introducing a critical information disclosure risk. Attackers gaining Subscriber-level access, which is often easier to obtain than higher privileges, can leverage this vulnerability to escalate their knowledge of the environment and plan further attacks.

For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive information stored on web servers running WordPress with the affected plugin. This includes potential exposure of database credentials, private keys, configuration files, or personal data protected under GDPR. Such data leaks can facilitate further attacks, including privilege escalation, lateral movement, or targeted data theft. The breach of confidentiality could result in regulatory penalties, reputational damage, and financial loss. Since WordPress is widely adopted across Europe for corporate, governmental, and small business websites, the attack surface is considerable. Organizations relying on this plugin for security may have a false sense of protection, increasing risk exposure. The vulnerability is particularly concerning for sectors handling sensitive personal or financial data, such as finance, healthcare, and public administration. Additionally, the ease of exploitation by low-privilege authenticated users increases the likelihood of insider threats or exploitation via compromised accounts.

1. Immediate mitigation involves updating the scheeeli Anti-Malware Security and Brute-Force Firewall plugin to a patched version once available. Since no patch links are currently provided, organizations should monitor vendor advisories closely. 2. Restrict user roles and permissions rigorously, minimizing the number of users with Subscriber-level or higher access, and enforce strong authentication mechanisms to reduce the risk of account compromise. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious AJAX requests targeting GOTMLS_* actions until a patch is released. 4. Conduct regular audits of user accounts and remove or disable inactive or unnecessary accounts to limit potential attackers. 5. Monitor server logs for unusual file access patterns or AJAX requests that could indicate exploitation attempts. 6. Consider isolating WordPress instances and sensitive data storage to limit the impact of any arbitrary file read. 7. Educate administrators and users about the risks of privilege escalation and the importance of maintaining least privilege principles. 8. If immediate patching is not possible, temporarily disable the vulnerable plugin or replace it with alternative security solutions that do not exhibit this vulnerability.