Introduction
An unauthenticated directory traversal flaw in a WordPress security plugin with over 100,000 active installations has been quietly exposing host filesystems to remote attackers since at least mid 2021. CVE-2021-47977 affects the Anti-Malware Security and Bruteforce Firewall plugin, a tool developed under the GOTMLS brand that helps WordPress administrators detect and clean malware infections on their sites.
The plugin has a significant footprint: over 100,000 active installations on the WordPress plugin repository and more than 407,173 registered users on the GOTMLS network. For organizations relying on this plugin as part of their WordPress security posture, the irony is notable: the security tool itself introduced a high severity file read vulnerability.
Technical Information
CVE-2021-47977 is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal. The CVSS score reported by VulnCheck is 8.7 High.
Root Cause
The vulnerability exists in how the plugin handles the duplicator_download AJAX action. WordPress plugins can register actions through the admin-ajax.php endpoint, and some of these actions are accessible without authentication (using the wp_ajax_nopriv_ hook). The Anti-Malware Security and Bruteforce Firewall plugin exposes the duplicator_download action to unauthenticated users and fails to properly sanitize the file parameter before using it to read files from the filesystem.
Specifically, the plugin does not strip or reject path traversal sequences (../ or ..\) from the file parameter value. This allows an attacker to escape the intended directory and traverse the filesystem to read arbitrary files that the web server process has permission to access.
Attack Flow
The exploitation of this vulnerability follows a straightforward sequence:
- The attacker identifies a WordPress installation running a vulnerable version of the Anti-Malware Security and Bruteforce Firewall plugin (versions up to and including 4.20.72).
- The attacker crafts an HTTP GET request to the target's
wp-admin/admin-ajax.phpendpoint. - The request includes
action=duplicator_downloadand afileparameter containing path traversal sequences pointing to a sensitive file on the host system. - Because the action does not require authentication, the WordPress AJAX handler processes the request and the plugin reads the specified file from disk.
- The contents of the targeted file are returned in the HTTP response.
On a typical WordPress deployment, the most valuable target would be wp-config.php, which contains database credentials, authentication keys, salts, and the database table prefix. On Windows hosts, files like win.ini or other system configuration files could be targeted. On Linux hosts, /etc/passwd or application configuration files are common targets.
The entire attack requires only a single HTTP request and no prior authentication, making it trivially automatable.
Affected Systems and Versions
The vulnerability affects the Anti-Malware Security and Bruteforce Firewall WordPress plugin in versions up to and including 4.20.72. The WordPress plugin repository currently lists version 4.23.88 as the latest available release. Any WordPress installation running a version at or below 4.20.72 of this plugin should be considered vulnerable.
Vendor Security History
The Anti-Malware Security and Bruteforce Firewall plugin has experienced multiple security issues over its lifecycle:
- Versions prior to 4.15.44 were vulnerable to Cross Site Scripting (XSS) and Cross Site Request Forgery (CSRF), as documented by WPScan.
- Versions below 4.20.94 contained a Reflected Cross Site Scripting vulnerability caused by unsanitized POST data, also tracked by WPScan.
This pattern suggests that input validation has been a recurring challenge for the plugin's development team.
References
- NVD Entry for CVE-2021-47977
- VulnCheck Advisory: WordPress Anti-Malware Security Bruteforce Firewall Directory Traversal
- ExploitDB Entry 50107
- GOTMLS Official Site
- GOTMLS Downloads
- WordPress Plugin Page: Anti-Malware Security and Brute-Force Firewall
- WPScan: Anti-Malware Security and Brute-Force Firewall < 4.15.44
- WPScan: Anti-Malware Security and Brute-Force Firewall < 4.20.94
- Wordfence: Active Attack on Duplicator Plugin Vulnerability
- CISA Known Exploited Vulnerabilities Catalog



