Description
The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'createSaleRecord' function in all versions up to, and including, 2.4.7. This makes it possible for unauthenticated attackers to manipulate presales counters.
Published: 2025-11-21
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized modification of presale data via unauthenticated API calls
Action: Apply Patch
AI Analysis

Impact

The TokenICO plugin for WordPress permits unauthenticated modification of presale counters because the 'createSaleRecord' function lacks proper authentication and capability checks. The missing access control allows an attacker to alter data that influences presale or ICO prize distribution, potentially skewing token allocations or pricing, thereby compromising the integrity of the launchpad. The vulnerability is classified as CWE-306, missing authentication.

Affected Systems

The affected product is the TokenICO Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop plugin for WordPress, provided by beycanpress. All released versions up to and including 2.4.7 are vulnerable; users running these versions should consider them at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. With an EPSS score of less than 1%, the likelihood of exploitation at this time is low, and the vulnerability is not listed in the CISA KEV catalog. However, the nature of the flaw—unauthenticated modification via a public REST API endpoint—provides a straightforward attack vector. Attackers can send crafted requests to the createSaleRecord endpoint without credentials, adjusting presale counters or altering tokens distributed through the platform.

Generated by OpenCVE AI on April 21, 2026 at 01:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the TokenICO plugin to version 2.4.8 or later, where authentication and capability checks have been added for the createSaleRecord API.
  • If an upgrade is not immediately possible, disable the vulnerable REST endpoint by configuring the plugin settings or removing the relevant route via a custom code snippet to prevent unauthenticated access.
  • Implement network‑level restrictions, such as firewall rules or .htaccess rules, to block or require authentication for the /wp-json/tokenico/v1/createSaleRecord endpoint when the plugin is in use.

Generated by OpenCVE AI on April 21, 2026 at 01:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'createSaleRecord' function in all versions up to, and including, 2.4.6. This makes it possible for unauthenticated attackers to manipulate presales counters. The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'createSaleRecord' function in all versions up to, and including, 2.4.7. This makes it possible for unauthenticated attackers to manipulate presales counters.
Title Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO <= 2.4.6 - Missing Authentication to Unauthenticated Presale Update Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO <= 2.4.7 - Missing Authentication to Unauthenticated Presale Update
References

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 21 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 21 Nov 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'createSaleRecord' function in all versions up to, and including, 2.4.6. This makes it possible for unauthenticated attackers to manipulate presales counters.
Title Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO <= 2.4.6 - Missing Authentication to Unauthenticated Presale Update
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:00.127Z

Reserved: 2025-10-14T23:33:33.261Z

Link: CVE-2025-11771

cve-icon Vulnrichment

Updated: 2025-11-21T14:44:08.903Z

cve-icon NVD

Status : Deferred

Published: 2025-11-21T08:15:50.350

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11771

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:30:24Z

Weaknesses