CVE-2025-11771
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-11-21
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'createSaleRecord' function in all versions up to, and including, 2.4.7. This makes it possible for unauthenticated attackers to manipulate presales counters.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tokenico | plugin | 2.4.6 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the TokenICO WordPress plugin (versions up to 2.4.6) and allows unauthenticated attackers to modify data without authorization. Specifically, due to missing authentication and capability checks on the 'createSaleRecord' function, attackers can manipulate presale counters.
How can this vulnerability impact me? :
The vulnerability can allow attackers to manipulate presale counters in the TokenICO plugin without authentication. This could lead to inaccurate presale data, potentially affecting token sale integrity and trustworthiness.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70