CVE-2025-11988

Name of the Vulnerable Software and Affected Versions Crypto plugin for WordPress versions prior to 2.23

Description The Crypto plugin for WordPress is susceptible to unauthorized data manipulation. This is caused by an unauthenticated AJAX action, wp ajax nopriv crypto connect ajax process, which allows calling the crypto delete json method with only a nonce check. This enables unauthenticated attackers to delete JSON files matching the pattern * pending.json within the wp-content/uploads/yak/ directory, potentially leading to data loss and denial of service for plugin workflows that depend on these files.

Recommendations Update the Crypto plugin to version 2.23 or later.