CVE-2025-11988 Crypto Tool <= 2.22 - Missing Authentication to Unauthenticated Limited File Deletion

The Crypto plugin for WordPress is vulnerable to unauthorized manipulation of data in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action wpajaxnoprivcryptoconnectajaxprocess that allows calling the cryptodeletejson method with only a...

Gutenberg & Elementor Templates Importer For Responsive < 2.2.6 - Unprotected AJAX Endpoints

These flaws allowed any authenticated user, regardless of privilege level, the ability to execute various AJAX actions 23 that could reset site data, inject malicious JavaScript in pages, modify theme customizer data, import .xml and .json files, and activate plugins, among many other actions. Al...