WordPress Crypto Plugin Unauthenticated Data Manipulation Vulnerability Leading to File Deletion
Vulnerability
A vulnerability exists in the Crypto plugin for WordPress, affecting all versions up to and including 2.22. The issue arises from the plugin allowing unauthenticated AJAX actions that can delete specific JSON files in the wp-content/uploads/yak/ directory. This deletion is facilitated by the crypto_delete_json method, which can be called with only a publicly available nonce, leading to unauthorized data loss and disruption of plugin workflows that depend on these files.
Impact
Exploitation of this vulnerability allows for unauthorized deletion of JSON files, causing data loss and disrupting plugin workflows that rely on the deleted files.
Reproduction
To reproduce this vulnerability, send an AJAX request to the wp_ajax_nopriv_crypto_connect_ajax_process action. Include a valid nonce and specify 'crypto_delete_json' as the method name, along with the parameters needed to identify the JSON file to be deleted. The absence of authentication checks allows this action to be performed by unauthenticated users.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.