Description
The Crypto plugin for WordPress is vulnerable to unauthorized manipulation of data in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process) that allows calling the crypto_delete_json method with only a publicly-available nonce check. This makes it possible for unauthenticated attackers to delete specific JSON files matching the pattern *_pending.json within the wp-content/uploads/yak/ directory, causing data loss and denial of service for plugin workflows that rely on these artifacts.
Published: 2025-11-11
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Data Loss and Denial of Service via Unauthenticated File Deletion
Action: Apply Patch
AI Analysis

Impact

The Crypto plugin for WordPress allows anyone to call the wp_ajax_nopriv_crypto_connect_ajax_process action without authenticating, relying only on a publicly available nonce. This enables an attacker to trigger the crypto_delete_json method and delete JSON files that match the pattern *_pending.json in the wp-content/uploads/yak/ directory. Removing those files destroys data that the plugin uses for its workflow, leading to loss of information and a potential denial of service for functions that depend on these artifacts.

Affected Systems

WordPress installations that use the Crypto plugin from the odude vendor and are running any version up to and including 2.22 are affected. Sites that have not upgraded beyond this version and with the plugin enabled on a publicly accessible environment are vulnerable.

Risk and Exploitability

The vulnerability carries a CVSS score of 5.3, indicating a moderate severity. Its EPSS score is less than 1 %, suggesting a low probability of current exploitation, and it is not listed in the CISA KEV catalog. Attackers only need to send a crafted AJAX request from any IP address, or even from a browser in which no login is required, because the plugin does not verify the user's identity beyond the nonce. If the site is publicly reachable, the exploit is straightforward to execute.

Generated by OpenCVE AI on April 22, 2026 at 12:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Crypto plugin to version 2.23 or newer, which removes the unauthenticated AJAX action
  • If an upgrade is not immediately possible, disable the wp_ajax_nopriv_crypto_connect_ajax_process action by removing or unregistering it in the theme’s functions.php or with a security plugin
  • Restrict write permissions on the wp-content/uploads/yak/ directory so that only the web server owner retains deletion rights

Generated by OpenCVE AI on April 22, 2026 at 12:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 12 Nov 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 12 Nov 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Odude
Odude crypto Tool
Wordpress
Wordpress wordpress
Vendors & Products Odude
Odude crypto Tool
Wordpress
Wordpress wordpress

Tue, 11 Nov 2025 03:45:00 +0000

Type Values Removed Values Added
Description The Crypto plugin for WordPress is vulnerable to unauthorized manipulation of data in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process) that allows calling the crypto_delete_json method with only a publicly-available nonce check. This makes it possible for unauthenticated attackers to delete specific JSON files matching the pattern *_pending.json within the wp-content/uploads/yak/ directory, causing data loss and denial of service for plugin workflows that rely on these artifacts.
Title Crypto Tool <= 2.22 - Missing Authentication to Unauthenticated Limited File Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Odude Crypto Tool
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:45:20.211Z

Reserved: 2025-10-20T19:32:02.759Z

Link: CVE-2025-11988

cve-icon Vulnrichment

Updated: 2025-11-12T17:02:03.202Z

cve-icon NVD

Status : Deferred

Published: 2025-11-11T04:15:44.967

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11988

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:30:16Z

Weaknesses