{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11986", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-20T18:56:32.332Z", "datePublished": "2025-11-11T03:30:51.073Z", "dateUpdated": "2026-04-08T17:32:13.715Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:32:13.715Z"}, "affected": [{"vendor": "odude", "product": "Crypto Tool", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.22", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Crypto plugin for WordPress is vulnerable to Information exposure in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process) that allows calling the register and savenft methods with only a publicly-available nonce check and no wallet signature verification. This makes it possible for unauthenticated attackers to set a site-wide global authentication state via a single transient, bypassing all access controls for ALL visitors to the site. The impact is complete bypass of [crypto-block] shortcode restrictions and page-level access controls, affecting all site visitors for one hour, plus the ability to inject arbitrary data into the plugin's custom_users table."}], "title": "Crypto Tool <= 2.22 - Unauthenticated Information Exposure via Global Authentication State", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f062ef94-e558-478e-bbfd-06616aeb566b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L9"}, {"url": "https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L65"}, {"url": "https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L95"}, {"url": "https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto-user.php#L95"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-306 Missing Authentication for Critical Function", "cweId": "CWE-306", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-11-10T15:07:44.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-12T15:10:22.535224Z", "id": "CVE-2025-11986", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T20:04:57.187Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11986", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-12T15:10:22.535224Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-12T15:10:35.365Z"}}], "cna": {"title": "Crypto Tool <= 2.22 - Unauthenticated Information Exposure via Global Authentication State", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "odude", "product": "Crypto Tool", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.22"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-10T15:07:44.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f062ef94-e558-478e-bbfd-06616aeb566b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L9"}, {"url": "https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L65"}, {"url": "https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L95"}, {"url": "https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto-user.php#L95"}], "descriptions": [{"lang": "en", "value": "The Crypto plugin for WordPress is vulnerable to Information exposure in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process) that allows calling the register and savenft methods with only a publicly-available nonce check and no wallet signature verification. This makes it possible for unauthenticated attackers to set a site-wide global authentication state via a single transient, bypassing all access controls for ALL visitors to the site. The impact is complete bypass of [crypto-block] shortcode restrictions and page-level access controls, affecting all site visitors for one hour, plus the ability to inject arbitrary data into the plugin's custom_users table."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-11T03:30:51.073Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11986", "state": "PUBLISHED", "dateUpdated": "2025-11-12T20:04:57.187Z", "dateReserved": "2025-10-20T18:56:32.332Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-11T03:30:51.073Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Crypto plugin for WordPress is vulnerable to Information exposure in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process) that allows calling the register and savenft methods with only a publicly-available nonce check and no wallet signature verification. This makes it possible for unauthenticated attackers to set a site-wide global authentication state via a single transient, bypassing all access controls for ALL visitors to the site. The impact is complete bypass of [crypto-block] shortcode restrictions and page-level access controls, affecting all site visitors for one hour, plus the ability to inject arbitrary data into the plugin's custom_users table."}], "id": "CVE-2025-11986", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-11T04:15:44.780", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto-user.php#L95"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L65"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L9"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L95"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f062ef94-e558-478e-bbfd-06616aeb566b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:26:13.453836+00:00", "value": {"mitigation_remediation": ["Upgrade the Crypto Tool plugin to version 2.23 or later, which removes the vulnerable AJAX action.", "If an immediate upgrade is not possible, modify the plugin to require user authentication before invoking the register or savenft methods, or permanently disable the wp_ajax_nopriv_crypto_connect_ajax_process action.", "Deploy a Web Application Firewall rule to block requests to wp_ajax_nopriv_crypto_connect_ajax_process or otherwise monitor for unauthorized modifications to the custom_users table and remediate any suspicious entries."], "summary": {"action": "Patch Now", "impact": "Unauthorized Access via Global Authentication State"}, "threat_synthesis": {"affected_systems": "Any WordPress site using the Crypto Tool plugin version 2.22 or earlier is vulnerable. These versions are distributed by the vendor odude and are intended for use on all compatible WordPress installations.", "description_and_impact": "The Crypto plugin for WordPress allows attackers to trigger an unauthenticated AJAX action protected only by a public nonce, enabling the register and savenft methods to run without wallet signature verification. This flaw lets an unauthenticated user set a site\u2011wide transient that grants full access to all visitors for an hour and permits arbitrary data to be stored in the plugin\u2019s custom_users table. The vulnerability is a classic instance of improper authentication (CWE\u2011306).", "risk_and_exploitability": "The CVSS score of 5.3 labels the issue as moderate, and the EPSS score of less than 1% indicates a very low probability of exploitation in the current market. Because the flaw is triggered by a simple HTTP request to wp_ajax_nopriv_crypto_connect_ajax_process with a valid nonce, no credentials are required. The vulnerability is not listed in the CISA KEV catalog."}}}}, "created": "2025-11-12T12:43:00.101054+00:00", "updated": "2026-04-21T18:30:27.586002+00:00", "vendors": ["odude", "odude$PRODUCT$crypto_tool", "wordpress", "wordpress$PRODUCT$wordpress"]}