Anti-Malware Security and Brute-Force Firewall plugin for WordPress patch release (CVE-2025-11705)
Security Patch Release
Summary
Hide ▲
Show ▼
On October 15, Eli released version 4.23.83 of the Anti-Malware Security and Brute-Force Firewall plugin for WordPress, closing CVE-2025-11705 in sites running earlier builds. The update adds a proper user capability check through GOTMLS_kill_invalid_user(), fixing the file-read path in GOTMLS_ajax_scan(). Sites on 4.23.81 and earlier needed the patch to stop a low-privileged user from reaching sensitive server files.
Related Happenings
Squid web proxy patch for CVE-2026-47729
Security Patch Release
H score20
First: 22.06.2026 17:29
Last: 22.06.2026 17:29
Sources 1
About this happening:
**Squid maintainers** merged a **null-terminator check** for **CVE-2026-47729** into the **development branch** and **v7**, closing the FTP-parser over-read that could expose shar...
Squid web proxy patch for CVE-2026-47729
Security Patch ReleaseAbout this happening: **Squid maintainers** merged a **null-terminator check** for **CVE-2026-47729** into the **development branch** and **v7**, closing the FTP-parser over-read that could expose shar...
Gravity SMTP security patch release for CVE-2026-4020
Security Patch Release
H score16
First: 20.06.2026 12:56
Last: 20.06.2026 12:56
Sources 1
About this happening:
**Gravity SMTP** released **version 2.1.5** to fix **CVE-2026-4020**, closing a **medium-severity information disclosure** flaw in the WordPress plugin. The patch addresses a bug...
Gravity SMTP security patch release for CVE-2026-4020
Security Patch ReleaseAbout this happening: **Gravity SMTP** released **version 2.1.5** to fix **CVE-2026-4020**, closing a **medium-severity information disclosure** flaw in the WordPress plugin. The patch addresses a bug...
F5 security patch release for CVE-2026-42530
Security Patch Release
H score39
First: 18.06.2026 20:32
Last: 18.06.2026 20:32
Sources 1
About this happening:
**F5** released security updates for **NGINX Open Source** after finding **two critical vulnerabilities** that could lead to **remote code execution** on affected systems. The pat...
F5 security patch release for CVE-2026-42530
Security Patch ReleaseAbout this happening: **F5** released security updates for **NGINX Open Source** after finding **two critical vulnerabilities** that could lead to **remote code execution** on affected systems. The pat...
JCE Pro 2.9.99.6 patch for CVE-2026-48907
Security Patch Release
H score46
First: 17.06.2026 13:09
Last: 17.06.2026 13:09
Sources 1
About this happening:
**JCE security team** released **JCE Pro 2.9.99.6** in **early June 2026** to fix **CVE-2026-48907** in the **Widget Factory Joomla Content Editor (JCE) plugin**. The update addre...
JCE Pro 2.9.99.6 patch for CVE-2026-48907
Security Patch ReleaseAbout this happening: **JCE security team** released **JCE Pro 2.9.99.6** in **early June 2026** to fix **CVE-2026-48907** in the **Widget Factory Joomla Content Editor (JCE) plugin**. The update addre...
LiteLLM endpoint-hardening patch release (CVE-2026-42271)
Security Patch Release
H score59
First: 09.06.2026 09:26
Last: 09.06.2026 09:26
Sources 1
About this happening:
BerriAI released **LiteLLM 1.83.7**, hardening access to the vulnerable **MCP test endpoints** that accepted full server configurations. The update now requires the **PROXY_ADMIN*...
LiteLLM endpoint-hardening patch release (CVE-2026-42271)
Security Patch ReleaseAbout this happening: BerriAI released **LiteLLM 1.83.7**, hardening access to the vulnerable **MCP test endpoints** that accepted full server configurations. The update now requires the **PROXY_ADMIN*...
Timeline
-
29.10.2025 22:44 1 articles · 8mo ago
Wordfence reports CVE-2025-11705 in the Anti-Malware Security and Brute-Force Firewall plugin for WordPress
Initial DisclosureWordfence reported CVE-2025-11705 in the Anti-Malware Security and Brute-Force Firewall plugin for WordPress to Eli through the WordPress.org Security Team on October 14, and shared a validated proof-of-concept exploit for the missing capability check in GOTMLS_ajax_scan(), which could let a low-privileged subscriber read arbitrary files on the server, including wp-config.php.
Show sources
- WordPress security plugin exposes private data to site subscribers — www.bleepingcomputer.com — 29.10.2025 22:44
-
29.10.2025 22:44 2 articles · 8mo ago
Eli releases version 4.23.83 to fix CVE-2025-11705 in the Anti-Malware Security and Brute-Force Firewall plugin for WordPress
Mitigation Patch UpdateEli released version 4.23.83 of the Anti-Malware Security and Brute-Force Firewall plugin for WordPress on October 15, adding GOTMLS_kill_invalid_user() to enforce a proper user capability check and fix CVE-2025-11705 in versions 4.23.81 and earlier.
Show sources
- WordPress security plugin exposes private data to site subscribers — www.bleepingcomputer.com — 29.10.2025 22:44
- WordPress security plugin exposes private data to site subscribers — www.bleepingcomputer.com — 29.10.2025 22:44