The Anti-Malware Security and Brute-Force Firewall plugin for WordPress has a serious vulnerability, identified as CVE-2025-11705, affecting over 100,000 sites. This flaw allows subscribers to access any file on the server, including sensitive information like database credentials stored in the wp-config.php file. The problem arises from inadequate capability checks in the GOTMLS_ajax_scan() function, which processes AJAX requests. Because attackers can exploit this oversight, they could potentially read arbitrary files and extract valuable data. The vulnerability was reported by researcher Dmitrii Ignatyev to Wordfence, which then alerted the plugin's developer, Eli. On October 15, the developer responded by releasing version 4.23.83, which includes a new function, GOTMLS_kill_invalid_user(), to enforce proper user capability checks. Despite the patch, approximately 50,000 administrators are still running the vulnerable version of the plugin. While Wordfence has not seen evidence of exploitation in the wild, the public knowledge of this security hole could attract attackers, making it critical for site owners to update their plugins promptly.