The odude Crypto Tool WordPress plugin, versions up to and including 2.22, contains a missing authorization vulnerability identified as CVE-2025-11988 (CWE-862). The plugin registers an unauthenticated AJAX action named wp_ajax_nopriv_crypto_connect_ajax_process, which allows unauthenticated users to invoke the crypto_delete_json method. This method deletes JSON files matching the pattern *_pending.json located within the wp-content/uploads/yak/ directory. The vulnerability exists because the AJAX action relies solely on a publicly available nonce for validation, which does not provide sufficient authorization controls to restrict access. Consequently, any remote attacker can trigger deletion of these JSON files without authentication or user interaction. The deletion of these files causes data loss and denial of service for plugin workflows that depend on these JSON artifacts, potentially disrupting cryptographic operations or related functionalities provided by the plugin. The CVSS 3.1 base score is 5.3 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, no confidentiality impact, limited integrity impact (file deletion), and no availability impact beyond the plugin's workflow disruption. No patches or known exploits are currently reported, but the vulnerability poses a tangible risk to WordPress sites using this plugin. The flaw highlights the importance of proper authorization checks beyond nonce validation for AJAX actions in WordPress plugins.

For European organizations, exploitation of this vulnerability can lead to targeted denial of service and data loss within WordPress sites utilizing the odude Crypto Tool plugin. This can disrupt business-critical cryptographic workflows or processes relying on the plugin's JSON files, potentially impacting confidentiality indirectly if cryptographic operations fail or are bypassed. The loss of *_pending.json files may cause operational downtime, requiring manual restoration or reconfiguration. Organizations with public-facing WordPress sites are particularly vulnerable due to the network-exploitable nature of the flaw and lack of authentication requirements. This could affect e-commerce, financial services, healthcare, and government websites that rely on secure cryptographic functions. Additionally, the disruption could erode customer trust and lead to compliance issues under regulations like GDPR if service availability or data integrity is compromised. Although the vulnerability does not directly expose sensitive data, the integrity and availability impacts can have cascading effects on organizational security posture and operational continuity.

1. Immediately audit WordPress sites for the presence of the odude Crypto Tool plugin and identify versions up to 2.22. 2. Disable or remove the vulnerable AJAX action wp_ajax_nopriv_crypto_connect_ajax_process by modifying the plugin code or applying a temporary patch to prevent unauthenticated access. 3. Implement proper authorization checks in the plugin code to ensure only authenticated and authorized users can invoke sensitive AJAX actions, replacing reliance on publicly available nonces. 4. Restrict access to the wp-content/uploads/yak/ directory at the web server level to prevent unauthorized file deletions. 5. Monitor logs for suspicious AJAX requests targeting the vulnerable action and for unexpected deletions of *_pending.json files. 6. Maintain regular backups of WordPress site data, including plugin-related files, to enable rapid recovery from deletion attacks. 7. Engage with the plugin vendor or community to obtain official patches or updates addressing this vulnerability. 8. Educate site administrators on the risks of unauthenticated AJAX endpoints and best practices for plugin security hardening.