Information Exposure Vulnerability in Crypto Plugin for WordPress
CVE-2025-11986

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Crypto Tool
Vendor: CVE Published:; 11 November 2025

What is CVE-2025-11986?

The Crypto plugin for WordPress has a vulnerability that allows unauthenticated attackers to exploit an AJAX action called wp_ajax_nopriv_crypto_connect_ajax_process. This flaw exists in all versions up to and including 2.22, permitting attackers to invoke critical functions such as register and savenft without proper wallet signature verification. As a result, they can set a global authentication state across the entire site for all visitors, bypassing existing access controls. Additionally, this vulnerability can lead to complete evasion of restrictions imposed by the [crypto-block] shortcode, impacting all site visitors for a duration of one hour. Attackers may also inject arbitrary data into the custom_users table within the plugin, posing serious security risks.

Affected Version(s)

Crypto Tool * <= 2.22

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/crypto/tags/2....

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 11, 2025
Vulnerability Reserved
Oct 20, 2025

Credit

Jonas Benjamin Friedli

JSON