cleantalk
Vulnerabilities and Security Researches

Crypto, CVE-2024-9990

CVE, Research URL

CVE-2024-9990

Home page URL

Security reports for Crypto

Application

Crypto

Published on
Oct 29, 2024
Research Description
The Crypto plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.15. This is due to missing nonce validation in the 'crypto_connect_ajax_process::check' function. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
Min -, max 2.16.
Status
vulnerable
Previous vulnerability researches
Elite crypto checkout (5168e230bf164d8e0ebd8f95ccf9add5694cd07c) , Jun 07, 2024
Cryptocurrency Product for WooCommerce (59be8784a762f909def4834a3e75edf09048c69a) , Jun 07, 2024
Cryptocurrency Product for WooCommerce (CVE-2022-4974) , Nov 15, 2024
Crypto (CVE-2024-9990) , Oct 30, 2024
Crypto (CVE-2024-9989) , May 07, 2025
New vulnerability
Frontend Dashboard (CVE-2025-4104) , May 08, 2025
Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce (CVE-2025-0671) , May 08, 2025
Pods – Custom Content Types and Fields (CVE-2025-1446) , May 08, 2025
WP-Recall – Registration, Profile, Commerce & More (CVE-2024-9771) , May 08, 2025
WordPress Tag and Category Manager – AI Autotagger (CVE-2025-0627) , May 08, 2025