CVE-2025-11771
📋 TL;DR
This vulnerability allows unauthenticated attackers to manipulate presale counters in WordPress sites using the TokenICO plugin. Attackers can modify data without any authentication or authorization checks. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- TokenICO Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate cryptocurrency presale statistics to create false demand indicators, potentially enabling financial fraud or market manipulation schemes.
Likely Case
Attackers will manipulate presale counters to create misleading success metrics, damaging the credibility of affected cryptocurrency projects.
If Mitigated
With proper authentication controls, only authorized administrators could modify presale data, preventing unauthorized manipulation.
🎯 Exploit Status
The vulnerability is simple to exploit via direct API calls to the vulnerable function without any authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.7 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find TokenICO plugin
4. Click 'Update Now' if update available
5. If no update available, deactivate and delete plugin
6. Install fresh version 2.4.7+ from WordPress repository
🔧 Temporary Workarounds
Disable REST API endpoint
allBlock access to the vulnerable REST API endpoint using web server rules
# For Apache .htaccess:
RewriteEngine On
RewriteRule ^wp-json/tokenico/v1/createSaleRecord - [F,L]
# For Nginx:
location ~* ^/wp-json/tokenico/v1/createSaleRecord { return 403; }
🧯 If You Can't Patch
- Immediately deactivate the TokenICO plugin via WordPress admin panel
- Implement WAF rules to block requests to /wp-json/tokenico/v1/createSaleRecord endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for TokenICO plugin version 2.4.6 or earlierCheck Version:
# In WordPress admin: Plugins → Installed Plugins, or via wp-cli:
wp plugin list --name=tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop --field=versionVerify Fix Applied:
Confirm TokenICO plugin version is 2.4.7 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- POST requests to /wp-json/tokenico/v1/createSaleRecord from unauthenticated users
- Multiple rapid API calls to createSaleRecord endpoint
Network Indicators:
- Unusual traffic patterns to WordPress REST API endpoints
- POST requests to tokenico endpoints without authentication headers
SIEM Query:
source="web_server" AND (uri_path="/wp-json/tokenico/v1/createSaleRecord" OR uri_path LIKE "%/createSaleRecord") AND http_method="POST" AND NOT (user_agent LIKE "%WordPress%" OR http_referer LIKE "%/wp-admin/%")