TokenICO WordPress Plugin Missing Authorization Vulnerability in Deployed Contract Update

Vulnerability

A vulnerability exists in the TokenICO WordPress plugin, specifically in the Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO category, in versions through 2.4.6. The issue arises from a lack of proper capability checks in the 'saveDeployedContract' function, allowing authenticated attackers with Subscriber-level access and above to unauthorizedly modify data. Exploitation of this vulnerability enables overwriting of the WordPress option 'tokenico_deployed_contracts', potentially corrupting the displayed smart contract addresses.

Impact

Exploitation allows for unauthorized modification of smart contract address data, which could lead to the display of incorrect or malicious contract information.

Added: Nov 21, 2025, 8:44 AM

Updated: Nov 21, 2025, 4:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.9

remediation

0.0

relevance

1.1

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.9

remediation

0.0

relevance

1.1

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

TokenICO WordPress Plugin Missing Authorization Vulnerability in Deployed Contract Update

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating