The Crypto plugin for WordPress contains an authentication bypass vulnerability (CWE-288) due to insufficient validation in the 'crypto_connect_ajax_process::register' function. This allows attackers without prior authentication to impersonate any user by supplying a valid username, potentially gaining administrative access. The vulnerability affects all versions up to 2.19. The CVSS 3.1 base score is 9.8, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and full impact on confidentiality, integrity, and availability. No patch or remediation details have been provided by the vendor or in public advisories.

Successful exploitation allows unauthenticated attackers to bypass authentication controls and log in as any user on the affected WordPress site, including administrators. This can lead to full site compromise, data theft, modification, or deletion, and disruption of service. The vulnerability is critical given the ease of exploitation and the high level of access gained.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider disabling the Crypto plugin or restricting access to the affected functionality via web application firewall rules or other access controls to prevent exploitation.