← back
CVE-2025-11771

Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO <= 2.4.7 - Missing Authentication to Unauthenticated Presale Update

CVSS 5.3 MEDIUMEPSS 0.3%CWE-306
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.3EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Lifecycle
21 Nov 2025Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin for WordPress is vulnerable to unauthenticated and unauthorized modification of data due to missing authentication and capability checks on the 'createSaleRecord' function in all versions up to, and including, 2.4.7. This makes it possible for unauthenticated attackers to manipulate presales counters.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →