{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11771", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-14T23:33:33.261Z", "datePublished": "2025-11-21T07:31:55.521Z", "dateUpdated": "2026-04-08T17:21:00.127Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:21:00.127Z"}, "affected": [{"vendor": "beycanpress", "product": "Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.4.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'createSaleRecord' function in all versions up to, and including, 2.4.7. This makes it possible for unauthenticated attackers to manipulate presales counters."}], "title": "Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO <= 2.4.7 - Missing Authentication to Unauthenticated Presale Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5c5793f-4d98-4ec1-a9b6-6e7c3f8b6099?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop/tags/2.4.6/app/RestAPI.php#L275"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3449189%40tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop&new=3449189%40tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-306 Missing Authentication for Critical Function", "cweId": "CWE-306", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-11-20T19:19:37.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-21T14:44:08.300071Z", "id": "CVE-2025-11771", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T14:56:45.347Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11771", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-21T14:44:08.300071Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T14:44:08.903Z"}}], "cna": {"title": "Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO <= 2.4.6 - Missing Authentication to Unauthenticated Presale Update", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "beycanpress", "product": "Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.4.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-20T19:19:37.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5c5793f-4d98-4ec1-a9b6-6e7c3f8b6099?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop/tags/2.4.6/app/RestAPI.php#L275"}], "descriptions": [{"lang": "en", "value": "The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'createSaleRecord' function in all versions up to, and including, 2.4.6. This makes it possible for unauthenticated attackers to manipulate presales counters."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-21T07:31:55.521Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11771", "state": "PUBLISHED", "dateUpdated": "2025-11-21T14:56:45.347Z", "dateReserved": "2025-10-14T23:33:33.261Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-21T07:31:55.521Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'createSaleRecord' function in all versions up to, and including, 2.4.7. This makes it possible for unauthenticated attackers to manipulate presales counters."}], "id": "CVE-2025-11771", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-21T08:15:50.350", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop/tags/2.4.6/app/RestAPI.php#L275"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3449189%40tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop&new=3449189%40tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5c5793f-4d98-4ec1-a9b6-6e7c3f8b6099?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:27:12.887362+00:00", "value": {"mitigation_remediation": ["Upgrade the TokenICO plugin to version 2.4.8 or later, where authentication and capability checks have been added for the createSaleRecord API.", "If an upgrade is not immediately possible, disable the vulnerable REST endpoint by configuring the plugin settings or removing the relevant route via a custom code snippet to prevent unauthenticated access.", "Implement network\u2011level restrictions, such as firewall rules or .htaccess rules, to block or require authentication for the /wp-json/tokenico/v1/createSaleRecord endpoint when the plugin is in use."], "summary": {"action": "Apply Patch", "impact": "Unauthorized modification of presale data via unauthenticated API calls"}, "threat_synthesis": {"affected_systems": "The affected product is the TokenICO Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop plugin for WordPress, provided by beycanpress. All released versions up to and including 2.4.7 are vulnerable; users running these versions should consider them at risk.", "description_and_impact": "The TokenICO plugin for WordPress permits unauthenticated modification of presale counters because the 'createSaleRecord' function lacks proper authentication and capability checks. The missing access control allows an attacker to alter data that influences presale or ICO prize distribution, potentially skewing token allocations or pricing, thereby compromising the integrity of the launchpad. The vulnerability is classified as CWE-306, missing authentication.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity. With an EPSS score of less than 1%, the likelihood of exploitation at this time is low, and the vulnerability is not listed in the CISA KEV catalog. However, the nature of the flaw\u2014unauthenticated modification via a public REST API endpoint\u2014provides a straightforward attack vector. Attackers can send crafted requests to the createSaleRecord endpoint without credentials, adjusting presale counters or altering tokens distributed through the platform."}}}}, "created": "2025-11-24T09:09:40.894478+00:00", "updated": "2026-04-21T01:30:24.399785+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}