CVE-2025-11988
BaseFortify
Publication date: 2025-11-11
Last updated on: 2025-11-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | crypto_plugin | 2.22 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Crypto plugin for WordPress up to version 2.22. It allows unauthenticated attackers to manipulate data by exploiting an unauthenticated AJAX action that permits deletion of specific JSON files in the wp-content/uploads/yak/ directory. The attack uses a publicly-available nonce check to call a method that deletes files matching *_pending.json, leading to data loss and disruption of plugin workflows.
How can this vulnerability impact me? :
The vulnerability can cause data loss and denial of service for workflows that depend on the affected JSON files within the plugin. This means that critical plugin functions relying on these files may fail or be disrupted, potentially impacting website functionality and user experience.