PT-2025-47682 · WordPress · Cryptocurrency (Token)+1
Published
2025-11-21
·
Updated
2025-11-21
·
CVE-2025-11773
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress versions through 2.4.6
Description
The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress has a flaw that allows unauthorized data modification. This is due to a missing capability check within the
saveDeployedContract() function. Attackers with Subscriber-level access or higher can overwrite the WordPress option tokenico deployed contracts, potentially altering the displayed smart contract addresses.Recommendations
Versions prior to and including 2.4.6 should be updated. As a temporary workaround, restrict access to the
saveDeployedContract() function for users with Subscriber-level access or lower.Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Cryptocurrency (Token)
Tokenico