Description
The Crypto plugin for WordPress is vulnerable to Information exposure in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process) that allows calling the register and savenft methods with only a publicly-available nonce check and no wallet signature verification. This makes it possible for unauthenticated attackers to set a site-wide global authentication state via a single transient, bypassing all access controls for ALL visitors to the site. The impact is complete bypass of [crypto-block] shortcode restrictions and page-level access controls, affecting all site visitors for one hour, plus the ability to inject arbitrary data into the plugin's custom_users table.
Published: 2025-11-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Global Authentication State
Action: Patch Now
AI Analysis

Impact

The Crypto plugin for WordPress allows attackers to trigger an unauthenticated AJAX action protected only by a public nonce, enabling the register and savenft methods to run without wallet signature verification. This flaw lets an unauthenticated user set a site‑wide transient that grants full access to all visitors for an hour and permits arbitrary data to be stored in the plugin’s custom_users table. The vulnerability is a classic instance of improper authentication (CWE‑306).

Affected Systems

Any WordPress site using the Crypto Tool plugin version 2.22 or earlier is vulnerable. These versions are distributed by the vendor odude and are intended for use on all compatible WordPress installations.

Risk and Exploitability

The CVSS score of 5.3 labels the issue as moderate, and the EPSS score of less than 1% indicates a very low probability of exploitation in the current market. Because the flaw is triggered by a simple HTTP request to wp_ajax_nopriv_crypto_connect_ajax_process with a valid nonce, no credentials are required. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 21, 2026 at 18:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Crypto Tool plugin to version 2.23 or later, which removes the vulnerable AJAX action.
  • If an immediate upgrade is not possible, modify the plugin to require user authentication before invoking the register or savenft methods, or permanently disable the wp_ajax_nopriv_crypto_connect_ajax_process action.
  • Deploy a Web Application Firewall rule to block requests to wp_ajax_nopriv_crypto_connect_ajax_process or otherwise monitor for unauthorized modifications to the custom_users table and remediate any suspicious entries.

Generated by OpenCVE AI on April 21, 2026 at 18:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 12 Nov 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Odude
Odude crypto Tool
Wordpress
Wordpress wordpress
Vendors & Products Odude
Odude crypto Tool
Wordpress
Wordpress wordpress

Tue, 11 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Crypto plugin for WordPress is vulnerable to Information exposure in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process) that allows calling the register and savenft methods with only a publicly-available nonce check and no wallet signature verification. This makes it possible for unauthenticated attackers to set a site-wide global authentication state via a single transient, bypassing all access controls for ALL visitors to the site. The impact is complete bypass of [crypto-block] shortcode restrictions and page-level access controls, affecting all site visitors for one hour, plus the ability to inject arbitrary data into the plugin's custom_users table.
Title Crypto Tool <= 2.22 - Unauthenticated Information Exposure via Global Authentication State
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Odude Crypto Tool
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:32:13.715Z

Reserved: 2025-10-20T18:56:32.332Z

Link: CVE-2025-11986

cve-icon Vulnrichment

Updated: 2025-11-12T15:10:35.365Z

cve-icon NVD

Status : Deferred

Published: 2025-11-11T04:15:44.780

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11986

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:30:27Z

Weaknesses