Overview
CVE-2025-11773 is a security vulnerability discovered in the Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress. This flaw allows authenticated attackers with Subscriber-level access (or higher) to modify crucial data, specifically the smart contract addresses displayed by the plugin. This is achieved by exploiting a missing capability check on the saveDeployedContract function. All versions of the plugin up to and including 2.4.6 are affected.
Technical Details
The vulnerability resides within the saveDeployedContract function of the TokenICO plugin’s REST API. The lack of proper capability checks allows any authenticated user, even those with the lowest Subscriber role, to make unauthorized changes. The function overwrites the WordPress option tokenico_deployed_contracts, which stores the addresses of the deployed smart contracts associated with the token sale functionality. By manipulating this option, an attacker can effectively poison the contract addresses displayed on the website.
The vulnerable code is located in the RestAPI.php file. Refer to the TokenICO plugin’s RestAPI.php file for the specific code snippet related to the saveDeployedContract function.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns a score of 4.3 to CVE-2025-11773. This is classified as a MEDIUM severity vulnerability. The CVSS vector string is likely something like AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N (Network, Low Attack Complexity, Low Privileges Required, No User Interaction, Unchanged Scope, No Confidentiality Impact, Low Integrity Impact, No Availability Impact).
The relatively low score is due to the need for authentication and the limited impact (modification of data, but no direct confidentiality breach or denial of service).
Possible Impact
Successful exploitation of CVE-2025-11773 can have several negative consequences:
- Phishing and Scams: Attackers can replace legitimate smart contract addresses with malicious ones, redirecting users to fraudulent contracts designed to steal funds.
- Loss of Funds: Unsuspecting users who interact with the poisoned contracts may lose their cryptocurrency.
- Reputation Damage: A compromised website can suffer significant reputational damage, leading to a loss of trust from users and investors.
- Legal Issues: If users lose funds due to the vulnerability, the website owner may face legal liabilities.
Mitigation and Patch Steps
The primary mitigation step is to update the TokenICO plugin to the latest version as soon as a patched version becomes available. This version should include proper capability checks on the saveDeployedContract function, restricting access to authorized users only (e.g., administrators).
Until a patch is available, consider the following temporary workarounds (though these are not ideal):
- Restrict Subscriber Access: Limit the capabilities of the Subscriber role as much as possible. This might involve using a plugin to fine-tune user roles and permissions.
- Monitor WordPress Options: Regularly monitor the
tokenico_deployed_contractsWordPress option for any unexpected changes. You can use a database monitoring plugin to detect alterations. - Web Application Firewall (WAF) Rules: Implement WAF rules to detect and block suspicious requests to the
saveDeployedContractendpoint.
