Cybersecurity Vulnerabilities

CVE-2025-11771: Critical Security Flaw Exposes TokenICO WordPress Plugin to Unauthenticated Presale Counter Manipulation

November 21, 2025 - By 

Overview

CVE-2025-11771 is a medium severity vulnerability affecting the Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress. This flaw allows unauthenticated attackers to manipulate presale counters due to missing authentication and capability checks on the createSaleRecord function. All versions up to and including 2.4.6 are affected.

Technical Details

The vulnerability resides within the createSaleRecord function in the RestAPI.php file of the TokenICO plugin. Specifically, the code lacks proper authentication and authorization checks, allowing anyone to send arbitrary requests to this function without needing to be logged in or have the necessary permissions.

Affected File: app/RestAPI.php

Affected Function: createSaleRecord (see line 275)

The absence of authentication and capability checks means an attacker can directly call this API endpoint and modify the presale data, potentially inflating or deflating the numbers to their advantage.

CVSS Analysis

  • Severity: MEDIUM
  • CVSS Score: 5.3

This CVSS score reflects the vulnerability’s potential for exploitation. While not critical, the ability to manipulate presale counters without authentication is a significant concern.

Possible Impact

Successful exploitation of this vulnerability could lead to:

  • Manipulation of Presale Data: Attackers can alter the perceived success of a presale, potentially influencing investor decisions.
  • Damage to Trust and Reputation: Incorrectly inflated or deflated presale numbers can erode trust in the project and the platform using the TokenICO plugin.
  • Financial Loss: Investors might make decisions based on manipulated data, leading to financial losses.

Mitigation and Patch Steps

The recommended mitigation steps are:

  • Upgrade to the Latest Version: Check for plugin updates within your WordPress dashboard. If a patched version is available (later than 2.4.6), immediately update the TokenICO plugin.
  • Disable the Plugin: If an update is not yet available or you are unable to update immediately, temporarily disable the TokenICO plugin until a patch is released.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *