Does Anti-Malware Security and Brute-Force Firewall have any unpatched vulnerabilities?

No. All known vulnerabilities in Anti-Malware Security and Brute-Force Firewall have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Anti-Malware Security and Brute-Force Firewall compatible with WordPress 6.9.4?

According to WordPress.org data, Anti-Malware Security and Brute-Force Firewall 4.23.88 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Anti-Malware Security and Brute-Force Firewall compatible with PHP 5.6+?

Anti-Malware Security and Brute-Force Firewall requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

What is Anti-Malware Security and Brute-Force Firewall's security score?

Anti-Malware Security and Brute-Force Firewall has a WP-Safety security score of 83/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Anti-Malware Security and Brute-Force Firewall Security & Risk Analysis

wordpress.org/plugins/gotmls

This Anti-Malware scanner searches for Malware, Viruses, and other security threats and vulnerabilities on your server and it helps you fix them.

100K active installs v4.23.88 PHP 5.6+ WP 3.3+ Updated Mar 9, 2026

anti-malwarebrute-forcefirewallscannersecurity

B · Generally Safe

CVEs total9

Unpatched0

Last CVEOct 28, 2025

Plugin page Download

Safety Verdict

Is Anti-Malware Security and Brute-Force Firewall Safe to Use in 2026?

Mostly Safe

Score 83/100

Anti-Malware Security and Brute-Force Firewall is generally safe to use. 9 past CVEs were resolved. Keep it updated.

9 known CVEsLast CVE: Oct 28, 2025Updated 24d ago

Risk Assessment

The "gotmls" plugin v4.23.88 exhibits a concerning security posture despite some positive indicators. While it boasts a small attack surface with no unprotected entry points and a high percentage of SQL queries using prepared statements, several critical vulnerabilities in its code and taint analysis are deeply worrying. The presence of four "unserialize" calls is a significant red flag, especially when combined with a high number of unsanitized paths identified in the taint analysis. This suggests a strong possibility of deserialization vulnerabilities, where malicious data could lead to code execution. Furthermore, the plugin's historical vulnerability record, with nine known CVEs including one critical and two high-severity issues, points to a recurring pattern of security weaknesses. The types of past vulnerabilities, such as Code Injection, Deserialization of Untrusted Data, XSS, and CSRF, align with the risks suggested by the static analysis. The lack of nonce checks is another notable deficiency. Overall, while the plugin attempts to use prepared statements and has a limited attack surface, the identified risks in deserialization, unsanitized data flows, and historical vulnerabilities paint a picture of a plugin that requires immediate attention and remediation.

Key Concerns

Critical taint flow detected
High severity taint flow detected
Dangerous function 'unserialize' used
Low percentage of properly escaped output
No nonce checks present
Total of 9 known CVEs
Historical critical vulnerability
Historical high severity vulnerabilities

Vulnerabilities

Anti-Malware Security and Brute-Force Firewall Security Vulnerabilities

CVEs by Year

2 CVEs in 2015

2015

1 CVE in 2016

2016

4 CVEs in 2022

2022

1 CVE in 2024

2024

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Critical

High

Medium

Low

9 total CVEs

CVE-2025-11705medium · 6.5Missing Authorization

Anti-Malware Security and Brute-Force Firewall <= 4.23.81 - Missing Authorization to Authenticated (Subscriber+) Arbitrary File Read

Oct 28, 2025 Patched in 4.23.83 (1d)

CVE-2024-22144critical · 9Improper Control of Generation of Code ('Code Injection')

Anti-Malware Security and Brute-Force Firewall <= 4.21.96 - Unauthenticated Remote Code Execution

Mar 12, 2024 Patched in 4.23.56 (57d)

CVE-2022-4327high · 7.2Deserialization of Untrusted Data

Anti-Malware Security and Brute-Force Firewall <= 4.21.85 - Authenticated (Admin+) PHP Object Injection

Dec 21, 2022 Patched in 4.21.86 (398d)

CVE-2022-0953medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Anti-Malware Security and Brute-Force Firewall <= 4.20.95 - Reflected Cross-Site Scripting

Apr 11, 2022 Patched in 4.20.96 (652d)

CVE-2022-2599medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Anti-Malware Security and Brute-Force Firewall <= 4.21.74 - Reflected Cross-Site Scripting

Feb 8, 2022 Patched in 4.21.83 (714d)

CVE-2021-25101medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Anti-Malware Security and Brute-Force Firewall <= 4.20.93 - Reflected Cross-Site Scripting

Jan 24, 2022 Patched in 4.20.94 (729d)

WF-d76229c9-39e6-48ab-b038-be40b36aa7bd-gotmlshigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Anti-Malware Security and Brute-Force Firewall <= 4.15.17 - Cross-Site Scripting

May 10, 2016 Patched in 4.16.18 (2814d)

WF-14ccd915-a513-45a4-84d3-b2b1fb893f1c-gotmlslow · 3.1Cross-Site Request Forgery (CSRF)

Anti-Malware Security and Brute-Force Firewall <= 4.15.22 - Cross-Site Request Forgery

May 25, 2015 Patched in 4.15.23 (3165d)

WF-3408bdfd-6337-4c26-b0f2-377375d0e52c-gotmlsmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Anti-Malware Security and Brute-Force Firewall <= 4.15.22 - Cross-Site Scripting

May 25, 2015 Patched in 4.15.23 (3165d)

Code Analysis

Analyzed Mar 16, 2026

Anti-Malware Security and Brute-Force Firewall Code Analysis

Dangerous Functions

Raw SQL Queries

49 prepared

Unescaped Output

136

26 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

unserializeif (!(is_array($unsafe_serialized)) && (is_array($safe_unserialized = @unserialize(preg_replace('/[osafe-load\trace.php:197

unserializeif (@unserialize($return) && is_array(@unserialize($return)))safe-load\wp-settings.php:155

unserializereturn unserialize($return);safe-load\wp-settings.php:156

SQL Query Safety

83% prepared59 total queries

Output Escaping

16% escaped162 total outputs

Data Flows

11 unsanitized

Data Flow Analysis

11 flows11 with unsanitized paths

GOTMLS_db_scan (images\index.php:1369)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

Anti-Malware Security and Brute-Force Firewall Attack Surface

Entry Points2

Unprotected0

Shortcodes 2

[gotmls-brute-force-protection] index.php:1280

[ihc-login-form] index.php:1497

WordPress Hooks 15

actionadmin_noticesimages\index.php:937

actionplugins_loadedimages\index.php:1095

actionadmin_menuindex.php:67

actionnetwork_admin_menuindex.php:68

actionadmin_menuindex.php:74

actionnetwork_admin_menuindex.php:75

actionadmin_enqueue_scriptsindex.php:97

actionlogin_formindex.php:1253

filterplugin_action_linksindex.php:1369

filterplugin_row_metaindex.php:1376

actionin_plugin_update_message-gotmls/index.phpindex.php:1396

actionadmin_initindex.php:1479

actionwoocommerce_login_formindex.php:1500

actionwpum_before_submit_button_login_formindex.php:1502

actioninitindex.php:1580

Maintenance & Trust

Anti-Malware Security and Brute-Force Firewall Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 9, 2026

PHP min version5.6

Downloads7.6M

Community Trust

Rating98/100

Number of ratings781

Active installs100K

Alternatives

Anti-Malware Security and Brute-Force Firewall Alternatives

Dotsquares Custom Login URL & Security Suite

custom-login-url-login-designer

100

Change your WordPress login URL, design the login page, and enhance your site's security with built-in protection tools.

0 No CVEs

VMP Security – Firewall, Malware Scan, and Login Security

vmpfence-security

100

Your all-in-one WordPress security solution. Stop hackers with our firewall, detect malware before it spreads, and protect your site.

0 No CVEs

Wordfence Security – Firewall, Malware Scan, and Login Security

wordfence

Firewall, Malware Scanner, Two Factor Auth, and Comprehensive Security Features, powered by our 24-hour team. Make security a priority with Wordfence.

5.0M 12 CVEs

Limit Login Attempts Reloaded – Login Security, Brute Force Protection, Firewall

limit-login-attempts-reloaded

Block excessive login attempts and protect your site against brute force attacks. Simple, yet powerful tools to improve site performance.

2.0M 4 CVEs

Security Optimizer – The All-In-One Protection Plugin

sg-security

Secure your WordPress site from brute-force attacks, threats, malware, and bots. Free to use and easy to set up.

1.0M 5 CVEs

Developer Profile

Anti-Malware Security and Brute-Force Firewall Developer Profile

Eli

9 plugins · 101K total installs

trust score

Avg Security Score

90/100

Avg Patch Time

782 days

View full developer profile

Detection Fingerprints

How We Detect Anti-Malware Security and Brute-Force Firewall

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

HTML / DOM Fingerprints

FAQ