Description
WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the file parameter. Attackers can send requests to the duplicator_download action via admin-ajax.php with path traversal sequences to access sensitive system files outside the intended directory.
Published: 2026-05-16
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because the WordPress Anti‑Malware Security and Bruteforce Firewall plugin fails to cleanse a filename supplied to its duplicator_download action. An attacker can send a crafted HTTP request containing path‑traversal sequences that bypass the intended directory boundaries and read any file the web server can access, such as sensitive configuration files or logs. While the flaw does not provide direct code execution, the ability to read arbitrary files can lead to credential theft, information disclosure, and facilitate further attacks. The weakness is classified as CWE‑22.

Affected Systems

The 4.20.59 release of the WordPress Anti‑Malware Security and Bruteforce Firewall plugin from Gotmls is explicitly listed as vulnerable. Only this version is identified; newer releases are assumed patched.

Risk and Exploitability

The flaw carries a CVSS score of 8.7, indicating high severity. No EPSS score is available and the vulnerability is not included in CISA’s KEV catalog, suggesting no confirmed exploitation yet. An attacker merely needs to send an unauthenticated request to admin‑ajax.php specifying the duplicator_download action with a file path that contains traversal characters to obtain sensitive files. Once a file is read, attackers can obtain information that may support further exploits.

Generated by OpenCVE AI on May 16, 2026 at 16:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Anti‑Malware Security and Bruteforce Firewall plugin to the latest version that resolves the directory traversal issue, such as 4.20.60 or newer.
  • If an upgrade cannot be applied immediately, block or remove the duplicator_download handler from admin‑ajax.php, or use a web application firewall to reject requests that contain path‑traversal patterns like ".." or "%2e%2e/".
  • Enforce directory integrity by validating the file parameter against a whitelist of allowed directories, ensuring that only approved files can be accessed through the plugin’s download action.

Generated by OpenCVE AI on May 16, 2026 at 16:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 16 May 2026 15:45:00 +0000

Type Values Removed Values Added
Description WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the file parameter. Attackers can send requests to the duplicator_download action via admin-ajax.php with path traversal sequences to access sensitive system files outside the intended directory.
Title WordPress Anti-Malware Security Bruteforce Firewall 4.20.59 Directory Traversal
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-16T15:28:13.494Z

Reserved: 2026-05-16T14:41:49.029Z

Link: CVE-2021-47977

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-16T16:16:23.233

Modified: 2026-05-16T16:16:23.233

Link: CVE-2021-47977

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-16T16:45:27Z

Weaknesses