CVE-2025-11705 is a vulnerability identified in the scheeeli Anti-Malware Security and Brute-Force Firewall plugin for WordPress, present in all versions up to and including 4.23.81. The root cause is a missing authorization check (CWE-862) in several AJAX actions prefixed with GOTMLS_ that handle requests without verifying the user's capability properly. This flaw allows authenticated users with minimal privileges (Subscriber-level or above) to perform arbitrary file read operations on the server hosting the WordPress site. The vulnerability arises because the plugin exposes sensitive file contents through these AJAX endpoints without adequate access control, enabling attackers to retrieve files that may contain credentials, configuration data, or other sensitive information. The CVSS v3.1 base score is 6.5, reflecting a medium severity level, with a vector indicating network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality only. There are no known public exploits at this time, but the vulnerability presents a significant risk due to the low privilege required and the potential sensitivity of exposed data. The flaw does not affect the integrity or availability of the system but can lead to information disclosure that may facilitate further attacks. The vulnerability was published on October 29, 2025, and no official patches have been linked yet, emphasizing the need for immediate mitigation steps by affected users.

For European organizations, this vulnerability poses a risk primarily to the confidentiality of sensitive data stored on web servers running WordPress with the vulnerable plugin installed. Attackers with minimal authenticated access can read arbitrary files, potentially exposing database credentials, configuration files, or personal data protected under GDPR. This can lead to data breaches, regulatory penalties, and reputational damage. Since WordPress is widely used across Europe for corporate websites, e-commerce, and government portals, the scope of impact is broad. The vulnerability could be leveraged as a stepping stone for further attacks, such as privilege escalation or lateral movement within the network. Organizations with large user bases or those that grant Subscriber-level access to many users are particularly vulnerable. The lack of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits rapidly after disclosure.

1. Immediately restrict Subscriber-level and higher user privileges to only trusted users to minimize potential attackers. 2. Monitor web server logs and WordPress AJAX request logs for unusual GOTMLS_* AJAX action calls that could indicate exploitation attempts. 3. Implement web application firewall (WAF) rules to detect and block suspicious AJAX requests targeting the vulnerable endpoints. 4. Apply principle of least privilege to WordPress user roles, removing unnecessary capabilities from low-privilege users. 5. Regularly check for and apply official patches or updates from the plugin vendor once released. 6. Conduct internal audits of sensitive file permissions on the server to limit exposure if accessed. 7. Consider temporarily disabling the vulnerable plugin if patching is not immediately possible and if business operations allow. 8. Educate administrators and users about the risk of granting excessive privileges within WordPress environments.