CVE-2025-11773 identifies a missing authorization vulnerability (CWE-862) in the beycanpress WordPress plugin 'Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO' affecting all versions up to 2.4.6. The vulnerability arises because the 'saveDeployedContract' function lacks proper capability checks, allowing any authenticated user with at least Subscriber-level privileges to invoke it and overwrite the WordPress option 'tokenico_deployed_contracts'. This option stores the addresses of deployed smart contracts displayed by the plugin. By modifying this data, an attacker can poison the contract addresses shown to users, potentially redirecting investments or transactions to malicious contracts. The CVSS 3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and impacts integrity but not confidentiality or availability. The vulnerability does not require administrative privileges, making it more accessible to lower-privileged users who may have accounts on the WordPress site. No patches or fixes are currently published, and no known exploits have been reported in the wild. The plugin is commonly used by cryptocurrency projects to manage token sales, ICOs, IDOs, and airdrops, making the integrity of displayed contract addresses critical to trust and security. Attackers exploiting this flaw could mislead investors or participants by presenting fraudulent contract information, potentially leading to financial losses or reputational harm for affected organizations.

For European organizations utilizing the beycanpress Cryptocurrency plugin, this vulnerability poses a significant risk to the integrity of their cryptocurrency launch processes. Unauthorized modification of smart contract addresses can lead to users interacting with malicious contracts, resulting in financial theft, fraud, or loss of investor confidence. The reputational damage from such incidents can be severe, especially for startups or established firms conducting ICOs or IDOs. Additionally, regulatory scrutiny in Europe concerning financial and data integrity could lead to legal consequences if compromised data leads to investor harm. Since the vulnerability requires only Subscriber-level access, insider threats or compromised low-privilege accounts could be leveraged to exploit this flaw. The absence of confidentiality or availability impact limits direct data breaches or service outages, but the integrity compromise is critical in the financial context of cryptocurrency operations. The medium CVSS score reflects moderate severity but should not be underestimated given the financial stakes involved.

1. Immediately restrict user account creation and limit Subscriber-level privileges to trusted individuals only, reducing the risk of unauthorized access. 2. Monitor and audit changes to the 'tokenico_deployed_contracts' WordPress option regularly to detect unauthorized modifications early. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious requests targeting the 'saveDeployedContract' function or related plugin endpoints. 4. Encourage the vendor to release a patch that adds proper capability checks to the vulnerable function; apply the patch promptly upon availability. 5. As a temporary workaround, consider disabling or removing the plugin if it is not critical to operations until a fix is available. 6. Educate site administrators and users about the risks of privilege escalation and the importance of strong authentication controls. 7. Employ multi-factor authentication (MFA) for all WordPress user accounts to reduce the risk of account compromise. 8. Regularly back up WordPress configuration and database to enable recovery from unauthorized changes.