CVE-2025-11521: 
WordPress vulnerability analysis and mitigation

The Astra Security Suite – Firewall & Malware Scan plugin for WordPress (versions up to and including 0.2) contains a critical vulnerability (CVE-2025-11521) that was disclosed on November 10, 2025. The vulnerability allows unauthenticated attackers to perform arbitrary file uploads due to insufficient validation of remote URLs for zip downloads and an easily guessable key (NVD).

The vulnerability is classified as an improper authorization issue (CWE-285). It has received a CVSS v3.1 Base Score of 8.1 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability stems from insufficient validation mechanisms for remote URL zip downloads combined with a predictable key system (NVD, Wordfence).

The vulnerability enables unauthenticated attackers to upload arbitrary files to the affected site's server, potentially leading to remote code execution. This represents a significant security risk as it could allow attackers to take complete control of affected WordPress installations (NVD).

The plugin has been temporarily closed and is not available for download pending a full security review. Users are advised to remove the plugin until a patched version is released (WordPress).