WordPress Crypto Plugin Information Exposure Vulnerability via Global Authentication State

A vulnerability allowing information exposure has been identified in the Crypto plugin for WordPress, affecting all versions through 2.22. The issue arises from the plugin registering an unauthenticated AJAX action that permits the invocation of the 'register' and 'savenft' methods. This is facilitated by a publicly available nonce check, without any verification of wallet signatures. As a result, unauthenticated attackers can manipulate a site-wide global authentication state through a single transient, effectively bypassing access controls for all site visitors. The vulnerability also allows the injection of arbitrary data into the plugin's custom_users database table.

Impact

Exploitation of this vulnerability leads to a complete bypass of the [crypto-block] shortcode restrictions and page-level access controls, affecting all site visitors for one hour. Additionally, it allows for the injection of arbitrary data into the plugin's custom_users table.

Reproduction

To reproduce this vulnerability, send an AJAX request to the 'wp_ajax_nopriv_crypto_connect_ajax_process' action. Include a valid nonce and specify the 'register' or 'savenft' method. The request will bypass authentication checks and modify the global authentication state.