CVE-2025-11773
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to modify smart contract addresses displayed by the TokenICO plugin. Attackers can poison the deployed contract data, potentially redirecting cryptocurrency transactions to malicious addresses. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- TokenICO Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers redirect cryptocurrency transactions to their own wallets, causing financial losses for users participating in token sales, ICOs, or airdrops through the compromised site.
Likely Case
Attackers modify displayed contract addresses to point to malicious or fraudulent smart contracts, potentially stealing funds from users who interact with these addresses.
If Mitigated
With proper access controls and monitoring, unauthorized modifications would be detected and prevented before causing financial harm.
🎯 Exploit Status
Exploitation requires authenticated access but only at Subscriber level, which is the lowest WordPress user role. The vulnerability is in a REST API endpoint with missing capability checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.7 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3200000/tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop/trunk/app/RestAPI.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'TokenICO Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.4.7+ from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable REST endpoint
allRemove or restrict access to the vulnerable 'saveDeployedContract' REST API endpoint
Add to theme's functions.php or custom plugin: remove_action('rest_api_init', 'tokenico_rest_api_init');
Restrict user registration
allDisable new user registration to prevent attackers from creating Subscriber accounts
In WordPress admin: Settings → General → uncheck 'Anyone can register'
🧯 If You Can't Patch
- Temporarily disable the TokenICO plugin if cryptocurrency features are not critical
- Implement strict user account controls and monitor for suspicious activity on Subscriber accounts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → TokenICO plugin version. If version is 2.4.6 or lower, you are vulnerable.Check Version:
wp plugin list --name=tokenico-cryptocurrency-token-launchpad-presale-ico-ido-airdrop --field=versionVerify Fix Applied:
After updating, verify plugin version shows 2.4.7 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual REST API calls to tokenico/v1/deployed-contracts endpoint
- Multiple failed authentication attempts followed by successful Subscriber login
- Modifications to WordPress options table for 'tokenico_deployed_contracts'
Network Indicators:
- POST requests to /wp-json/tokenico/v1/deployed-contracts from non-admin users
- Unusual traffic patterns to cryptocurrency-related endpoints
SIEM Query:
source="wordpress.log" AND ("tokenico/v1/deployed-contracts" OR "saveDeployedContract") AND user_role="subscriber"