The odude Crypto Tool WordPress plugin, up to and including version 2.22, contains a missing authorization vulnerability (CWE-862) identified as CVE-2025-11988. The root cause is the registration of an unauthenticated AJAX action named wp_ajax_nopriv_crypto_connect_ajax_process, which allows unauthenticated users to invoke the crypto_delete_json method. This method deletes JSON files matching the pattern *_pending.json located in the wp-content/uploads/yak/ directory. The plugin relies on a nonce check that is publicly accessible and insufficient for authorization, effectively allowing any remote attacker to delete these files without authentication or user interaction. The deletion of these JSON files can disrupt the plugin’s normal operations, causing data loss and denial of service conditions for workflows dependent on these JSON artifacts. The vulnerability has a CVSS 3.1 base score of 5.3, reflecting a medium severity with network attack vector, low attack complexity, no privileges required, no user interaction, and impact limited to integrity loss without confidentiality or availability impact. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability affects all versions of the plugin, indicating a need for vendor remediation or user-applied mitigations.

This vulnerability can lead to unauthorized deletion of critical JSON files used by the Crypto Tool plugin, resulting in data loss and denial of service for plugin-dependent workflows. Organizations relying on this plugin for cryptographic or data processing tasks may experience interruptions, degraded service, or loss of important state information stored in these JSON files. Although the impact does not extend to confidentiality or availability directly, the integrity loss can disrupt business processes and potentially cause operational delays. Since exploitation requires no authentication and can be performed remotely, the risk of automated or mass exploitation attempts exists, especially on publicly accessible WordPress sites using this plugin. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers could develop exploits given the low complexity of the vulnerability. Organizations with high dependency on this plugin’s functionality should consider this a moderate operational risk until patched.

1. Immediately restrict access to the wp-content/uploads/yak/ directory via web server configuration to prevent unauthorized HTTP requests from deleting JSON files. 2. Implement additional server-side authorization checks for the wp_ajax_nopriv_crypto_connect_ajax_process AJAX action to ensure only authenticated and authorized users can invoke crypto_delete_json. 3. If possible, disable or remove the vulnerable AJAX action temporarily until a vendor patch is available. 4. Monitor web server and WordPress logs for suspicious AJAX requests targeting the vulnerable endpoint. 5. Regularly back up the wp-content/uploads/yak/ directory and associated JSON files to enable recovery from unauthorized deletions. 6. Engage with the plugin vendor or community to obtain or request a security patch that properly enforces authorization. 7. Consider deploying a Web Application Firewall (WAF) with custom rules to block unauthenticated requests to the vulnerable AJAX action. 8. Educate site administrators about the risk and encourage prompt updates once a patch is released.