CVE-2025-11705 is a vulnerability categorized under CWE-862 (Missing Authorization) found in the scheeeli Anti-Malware Security and Brute-Force Firewall plugin for WordPress. The issue exists in all versions up to and including 4.23.81 and involves a lack of proper capability checks in several AJAX endpoints prefixed with GOTMLS_ that handle requests without verifying if the user has sufficient privileges. This flaw allows authenticated users with minimal privileges (Subscriber role or above) to read arbitrary files on the hosting server by exploiting these AJAX actions. The arbitrary file read capability can expose sensitive server files such as configuration files, database credentials, or other private data stored on the server. The vulnerability is remotely exploitable over the network without requiring user interaction, and the attacker only needs to be authenticated with a low-level WordPress user account. The CVSS v3.1 score is 6.5, reflecting a medium severity primarily due to the confidentiality impact and ease of exploitation with low privileges. No patches or fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability affects the confidentiality of data but does not impact integrity or availability. This issue highlights the importance of proper authorization checks in web application plugins, especially those handling sensitive security functions.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information stored on the server hosting the vulnerable WordPress plugin. Attackers with Subscriber-level access can read arbitrary files, potentially exposing database credentials, configuration files, private keys, or other sensitive data. This can lead to further compromise, including privilege escalation, data theft, or preparation for more sophisticated attacks. Organizations relying on this plugin risk data breaches and loss of confidentiality. Since the vulnerability does not affect integrity or availability, the immediate operational disruption is limited, but the exposure of sensitive data can have severe reputational and compliance consequences. The ease of exploitation by low-privilege users increases the risk, especially in environments where user accounts are not tightly controlled. The lack of known exploits in the wild suggests limited current exploitation but does not diminish the urgency to remediate. This vulnerability is particularly concerning for organizations with sensitive data hosted on WordPress sites using this plugin.

1. Immediately update the scheeeli Anti-Malware Security and Brute-Force Firewall plugin to a version that addresses this vulnerability once released by the vendor. 2. Until a patch is available, restrict access to the affected AJAX endpoints by implementing web application firewall (WAF) rules that block or limit requests to GOTMLS_* AJAX actions from low-privilege users. 3. Review and tighten user role assignments in WordPress to minimize the number of users with Subscriber or higher privileges, especially on publicly accessible sites. 4. Monitor server logs for unusual access patterns to AJAX endpoints or attempts to read sensitive files. 5. Consider isolating the WordPress environment and limiting file permissions to reduce the impact of arbitrary file reads. 6. Conduct a thorough audit of sensitive files on the server and consider rotating credentials or keys that may have been exposed. 7. Educate administrators on the risks of installing plugins without proper security reviews and encourage the use of plugins with strong security track records. 8. Employ intrusion detection systems to detect exploitation attempts targeting this vulnerability.