Anti-Malware Security and Brute-Force Firewall plugin for WordPress patch release (CVE-2025-11705)
Security Patch Release
Summary
Hide ▲
Show ▼
On October 15, Eli released version 4.23.83 of the Anti-Malware Security and Brute-Force Firewall plugin for WordPress, closing CVE-2025-11705 in sites running earlier builds. The update adds a proper user capability check through GOTMLS_kill_invalid_user(), fixing the file-read path in GOTMLS_ajax_scan(). Sites on 4.23.81 and earlier needed the patch to stop a low-privileged user from reaching sensitive server files.
Related Happenings
LiteSpeed cPanel user-end plugin urgent security update (CVE-2026-48172)
Security Patch Release
First: 27.05.2026 13:06
Last: 27.05.2026 13:06
Sources 1
About this happening:
LiteSpeed released **urgent security updates** for the **cPanel user-end plugin** after **CVE-2026-48172** was found to be **actively exploited**, reducing exposure for systems ru...
LiteSpeed cPanel user-end plugin urgent security update (CVE-2026-48172)
Security Patch ReleaseAbout this happening: LiteSpeed released **urgent security updates** for the **cPanel user-end plugin** after **CVE-2026-48172** was found to be **actively exploited**, reducing exposure for systems ru...
Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch Release
First: 15.05.2026 18:56
Last: 15.05.2026 18:56
Sources 1
About this happening:
**Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...
Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch ReleaseAbout this happening: **Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...
CPanel security patch release for CVE-2026-29201
Security Patch Release
First: 09.05.2026 10:16
Last: 09.05.2026 10:16
Sources 1
About this happening:
**cPanel** released updates for **cPanel and Web Host Manager (WHM)** to fix **three vulnerabilities** that could enable **privilege escalation**, **code execution**, or **denial-...
CPanel security patch release for CVE-2026-29201
Security Patch ReleaseAbout this happening: **cPanel** released updates for **cPanel and Web Host Manager (WHM)** to fix **three vulnerabilities** that could enable **privilege escalation**, **code execution**, or **denial-...
Nginx-ui 2.3.4 patch for CVE-2026-33032
Security Patch Release
First: 15.04.2026 16:00
Last: 15.04.2026 16:00
Sources 1
About this happening:
**nginx-ui maintainers** shipped **version 2.3.4** to fix **CVE-2026-33032**, closing a critical security gap for **MCP-enabled** deployments. The patch matters because the flaw c...
Nginx-ui 2.3.4 patch for CVE-2026-33032
Security Patch ReleaseAbout this happening: **nginx-ui maintainers** shipped **version 2.3.4** to fix **CVE-2026-33032**, closing a critical security gap for **MCP-enabled** deployments. The patch matters because the flaw c...
Latest development: 15.04.2026 17:45
After Pluto Security disclosed the issue in **March 2026**, the maintainers shipped **version 2.3.4** to address **CVE-2026-33032**. The patch closed the vulnerability in the product's **AI (MCP) integration** before broader exploitation details were reported.
Ninja Forms – File Upload Plugin patch release (version 3.3.27)
Security Patch Release
First: 08.04.2026 18:10
Last: 08.04.2026 18:10
Sources 1
About this happening:
**Ninja Forms – File Upload Plugin** received a **complete patch in version 3.3.27** after a **partial fix on February 10**, closing a critical upload flaw that left **thousands o...
Ninja Forms – File Upload Plugin patch release (version 3.3.27)
Security Patch ReleaseAbout this happening: **Ninja Forms – File Upload Plugin** received a **complete patch in version 3.3.27** after a **partial fix on February 10**, closing a critical upload flaw that left **thousands o...
Timeline
-
29.10.2025 22:44 1 articles · 6mo ago
Wordfence reports CVE-2025-11705 in the Anti-Malware Security and Brute-Force Firewall plugin for WordPress
Initial DisclosureWordfence reported CVE-2025-11705 in the Anti-Malware Security and Brute-Force Firewall plugin for WordPress to Eli through the WordPress.org Security Team on October 14, and shared a validated proof-of-concept exploit for the missing capability check in GOTMLS_ajax_scan(), which could let a low-privileged subscriber read arbitrary files on the server, including wp-config.php.
Show sources
- WordPress security plugin exposes private data to site subscribers — www.bleepingcomputer.com — 29.10.2025 22:44
-
29.10.2025 22:44 2 articles · 6mo ago
Eli releases version 4.23.83 to fix CVE-2025-11705 in the Anti-Malware Security and Brute-Force Firewall plugin for WordPress
Mitigation Patch UpdateEli released version 4.23.83 of the Anti-Malware Security and Brute-Force Firewall plugin for WordPress on October 15, adding GOTMLS_kill_invalid_user() to enforce a proper user capability check and fix CVE-2025-11705 in versions 4.23.81 and earlier.
Show sources
- WordPress security plugin exposes private data to site subscribers — www.bleepingcomputer.com — 29.10.2025 22:44
- WordPress security plugin exposes private data to site subscribers — www.bleepingcomputer.com — 29.10.2025 22:44