Description
The Binary MLM Plan plugin for WordPress is vulnerable to limited Privilege Escalation in all versions up to, and including, 3.0. This is due to bmp_user role granting all users with the manage_bmp capability by default upon registration through the plugin's form. This makes it possible for unauthenticated attackers to register and manage the plugin's settings.
Published: 2025-10-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The Binary MLM Plan plugin for WordPress contains a flaw that allows unauthenticated users to register a role with the manage_bmp capability. This role grants the ability to adjust the plugin’s settings, effectively giving the attacker control over the plugin configuration. The vulnerability can be exploited by simply submitting a registration form on a site that hosts the plugin.

Affected Systems

WordPress sites running the Binary MLM Plan plugin – all releases up to and including version 3.0. The affected product is listed as letscms:Binary MLM Plan. Any installation of this plugin in those versions is susceptible.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate overall risk, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw via a normal HTTP POST to the plugin’s registration form, an unauthenticated network vector that is widely reachable. Given the nature of the flaw, a successful exploitation could allow the attacker to modify plugin behavior or use the plugin as a foothold for further attacks on the underlying WordPress installation.

Generated by OpenCVE AI on April 22, 2026 at 13:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Binary MLM Plan plugin to a version newer than 3.0 once it becomes available
  • Reconfigure the plugin so that the bmp_user role does not receive the manage_bmp capability after registration
  • Disable or remove the plugin’s public registration form while awaiting a vendor patch

Generated by OpenCVE AI on April 22, 2026 at 13:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Mon, 20 Oct 2025 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 15 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Oct 2025 08:45:00 +0000

Type Values Removed Values Added
Description The Binary MLM Plan plugin for WordPress is vulnerable to limited Privilege Escalation in all versions up to, and including, 3.0. This is due to bmp_user role granting all users with the manage_bmp capability by default upon registration through the plugin's form. This makes it possible for unauthenticated attackers to register and manage the plugin's settings.
Title Binary MLM Plan <= 3.0 - Unauthenticated Limited Privilege Escalation
Weaknesses CWE-266
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:02:09.537Z

Reserved: 2025-09-05T17:35:09.789Z

Link: CVE-2025-10038

cve-icon Vulnrichment

Updated: 2025-10-15T14:01:18.007Z

cve-icon NVD

Status : Deferred

Published: 2025-10-15T09:15:36.167

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T13:15:17Z

Weaknesses