CVE-2025-11986: CWE-306 Missing Authentication for Critical Function in odude Crypto Tool
The Crypto plugin for WordPress is vulnerable to Information exposure in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process) that allows calling the register and savenft methods with only a publicly-available nonce check and no wallet signature verification. This makes it possible for unauthenticated attackers to set a site-wide global authentication state via a single transient, bypassing all access controls for ALL visitors to the site. The impact is complete bypass of [crypto-block] shortcode restrictions and page-level access controls, affecting all site visitors for one hour, plus the ability to inject arbitrary data into the plugin's custom_users table.
AI Analysis
Technical Summary
The odude Crypto Tool WordPress plugin registers an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process) that permits calling critical methods (register and savenft) with only a publicly available nonce check but no wallet signature verification. This missing authentication allows attackers to set a site-wide global authentication transient, bypassing all access controls for all visitors for one hour. Additionally, attackers can inject arbitrary data into the plugin's custom_users table, potentially impacting site integrity.
Potential Impact
The vulnerability leads to a complete bypass of the [crypto-block] shortcode restrictions and page-level access controls for all site visitors for one hour. It also allows injection of arbitrary data into the plugin's custom_users table. The CVSS score is 5.3 (medium), indicating limited confidentiality impact, no integrity or availability impact, and no privileges or user interaction required for exploitation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, site administrators should monitor the vendor's advisories for updates. Until a fix is available, consider disabling the vulnerable plugin or restricting access to the affected AJAX actions if possible.
CVE-2025-11986: CWE-306 Missing Authentication for Critical Function in odude Crypto Tool
Description
The Crypto plugin for WordPress is vulnerable to Information exposure in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process) that allows calling the register and savenft methods with only a publicly-available nonce check and no wallet signature verification. This makes it possible for unauthenticated attackers to set a site-wide global authentication state via a single transient, bypassing all access controls for ALL visitors to the site. The impact is complete bypass of [crypto-block] shortcode restrictions and page-level access controls, affecting all site visitors for one hour, plus the ability to inject arbitrary data into the plugin's custom_users table.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The odude Crypto Tool WordPress plugin registers an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process) that permits calling critical methods (register and savenft) with only a publicly available nonce check but no wallet signature verification. This missing authentication allows attackers to set a site-wide global authentication transient, bypassing all access controls for all visitors for one hour. Additionally, attackers can inject arbitrary data into the plugin's custom_users table, potentially impacting site integrity.
Potential Impact
The vulnerability leads to a complete bypass of the [crypto-block] shortcode restrictions and page-level access controls for all site visitors for one hour. It also allows injection of arbitrary data into the plugin's custom_users table. The CVSS score is 5.3 (medium), indicating limited confidentiality impact, no integrity or availability impact, and no privileges or user interaction required for exploitation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, site administrators should monitor the vendor's advisories for updates. Until a fix is available, consider disabling the vulnerable plugin or restricting access to the affected AJAX actions if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-10-20T18:56:32.332Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6912b13014bc3e00ba783d20
Added to database: 11/11/2025, 3:44:48 AM
Last enriched: 4/9/2026, 9:13:20 AM
Last updated: 5/10/2026, 3:44:31 AM
Views: 97
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.