CVE-2025-11773 is a vulnerability classified under CWE-862 (Missing Authorization) found in the beycanpress WordPress plugin 'Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO'. The issue arises because the 'saveDeployedContract' function lacks proper capability checks, allowing any authenticated user with at least Subscriber-level privileges to invoke it and overwrite the WordPress option 'tokenico_deployed_contracts'. This option stores the addresses of deployed smart contracts that the plugin displays and uses for cryptocurrency-related operations such as ICOs, IDOs, and airdrops. By poisoning these addresses, an attacker can cause the plugin to display or interact with malicious or attacker-controlled smart contracts, potentially redirecting funds or misleading users. The vulnerability affects all versions up to 2.4.6 and does not require user interaction beyond authentication. The CVSS 3.1 base score is 4.3 (medium), reflecting the low complexity of exploitation (low attack complexity), network attack vector, and limited impact on integrity without affecting confidentiality or availability. No patches or public exploits are currently available, but the risk lies in unauthorized data modification that can undermine trust and financial transactions within the affected WordPress sites.

For European organizations, especially those operating cryptocurrency platforms, ICO launchpads, or token airdrops using WordPress with this plugin, the vulnerability poses a risk of unauthorized manipulation of smart contract addresses. This can lead to redirection of funds to attacker-controlled contracts, resulting in financial losses and damage to reputation. Since the attack requires only Subscriber-level access, insider threats or compromised low-privilege accounts can exploit this flaw. The integrity of token sale processes and associated smart contract interactions can be compromised, undermining user trust and regulatory compliance. Additionally, misinformation about contract addresses can cause confusion and potential legal liabilities. The impact is particularly significant for organizations in countries with active crypto markets and stringent financial regulations, where trust and transparency are critical.

1. Immediately restrict Subscriber and other low-privilege user roles from accessing or invoking functions related to contract deployment or modification within the plugin, possibly by using role management plugins or custom code hooks. 2. Monitor and audit changes to the 'tokenico_deployed_contracts' WordPress option using logging plugins or custom monitoring to detect unauthorized modifications promptly. 3. Implement multi-factor authentication (MFA) for all authenticated users to reduce the risk of account compromise. 4. Isolate or sandbox WordPress installations used for cryptocurrency operations to limit exposure. 5. Engage with the plugin vendor or community to obtain or request a security patch; apply updates as soon as they become available. 6. Consider temporarily disabling the plugin or its vulnerable features if patching is not immediately possible, especially during active ICO or token sale periods. 7. Educate users and administrators about the risk of low-privilege account compromise and enforce strict user access policies.