CVE-2025-11986

Name of the Vulnerable Software and Affected Versions Crypto plugin for WordPress versions prior to 2.23

Description The software is susceptible to information exposure due to an unauthenticated AJAX action, wp ajax nopriv crypto connect ajax process, which allows calling the register and savenft methods with only a nonce check and no wallet signature verification. This enables unauthenticated attackers to establish a site-wide global authentication state using a transient, bypassing access controls for all site visitors. This results in a complete bypass of shortcode restrictions and page-level access controls, impacting all visitors for approximately one hour, and allows for arbitrary data injection into the custom users table.

Recommendations Update to version 2.23 or later.