TokenICO WordPress Plugin Missing Authentication Vulnerability in Presale Update Function

Vulnerability

A vulnerability exists in the TokenICO WordPress plugin, specifically in the Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO category, all versions through 2.4.6. The issue arises from missing authentication and capability checks in the 'createSaleRecord' function, allowing unauthenticated and unauthorized users to modify presale data, particularly by manipulating presale counters.

Impact

Exploitation of this vulnerability could lead to unauthorized changes in presale data, allowing attackers to manipulate presale counters without authentication.

Added: Nov 21, 2025, 8:45 AM

Updated: Nov 21, 2025, 4:18 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

0.0

relevance

1.2

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

0.0

relevance

1.2

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

TokenICO WordPress Plugin Missing Authentication Vulnerability in Presale Update Function

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating