CVE-2025-11988

MEDIUM

WordPress Crypto <2.22 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-11988. PoCs published by jFriedli.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2025-11988, demonstrating unauthenticated arbitrary file deletion in a WordPress plugin via nonce extraction and crafted AJAX requests.

Description

The Crypto plugin for WordPress is vulnerable to unauthorized manipulation of data in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action (wp_ajax_nopriv_crypto_connect_ajax_process) that allows calling the crypto_delete_json method with only a publicly-available nonce check. This makes it possible for unauthenticated attackers to delete specific JSON files matching the pattern *_pending.json within the wp-content/uploads/yak/ directory, causing data loss and denial of service for plugin workflows that rely on these artifacts.

Exploits (1)

nomisec WORKING POC
by jFriedli · poc
https://github.com/jFriedli/CVE-2025-11988

This repository contains a functional proof-of-concept exploit for CVE-2025-11988, demonstrating unauthenticated arbitrary file deletion in a WordPress plugin via nonce extraction and crafted AJAX requests.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: WordPress plugin (likely Crypto Connect or similar)
No auth needed
Prerequisites: WordPress installation with vulnerable plugin · Access to the target URL
devstral-2 · analyzed Apr 28, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 5.3
EPSS 0.0030
EPSS Percentile 21.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-862
Status published
Products (1)
odude/Crypto Tool < 2.22
Published Nov 11, 2025
Tracked Since Feb 18, 2026