Description
The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 5.0. This is due to the bmp_user_payout_detail_of_current_user() function selecting payout records solely by id without verifying ownership. This makes it possible for authenticated attackers with the bmp_user role (often subscribers) to view other members' payout summaries via direct requests to the /bmp-account-detail/ endpoint with a crafted payout-id parameter granted they can access the shortcode output.
Published: 2025-10-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Payout Data Disclosure
Action: Apply Patch
AI Analysis

Impact

The Binary MLM Plan plugin is affected by an insecure direct object reference that allows any authenticated user with the "bmp_user" role, often subscribers, to obtain the payouts of other members. The vulnerability resides in the bmp_user_payout_detail_of_current_user() function, which retrieves payout records solely by their ID with no ownership check. An attacker can therefore craft a direct request to the /bmp-account-detail/ endpoint, passing a payout-id for another user, and receive that user’s payout summary. This flaw enables unauthorized disclosure of confidential financial information of other members, but does not provide code execution or broader system compromise.

Affected Systems

Vendors: letscms. Product: Binary MLM Plan plugin for WordPress. Versions up to and including 5.0 are impacted. Any WordPress site that has installed this plugin and allows subscribers to view the shortcode output is vulnerable. Sites running the 5.1 or newer release are not affected.

Risk and Exploitability

The CVSS score is 4.3, indicating a moderate risk. The EPSS score is less than 1%, suggesting a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The exploit requires an authenticated user with the bmp_user role and access to the shortcode output; the attacker can then issue a straightforward HTTP GET request to /bmp-account-detail/?payout-id= to retrieve another member’s data. No special infrastructure or administrative privileges beyond the role are needed, making the attack path relatively simple for any legitimate subscriber who wishes to view other users’ payouts.

Generated by OpenCVE AI on April 22, 2026 at 00:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Binary MLM Plan plugin to the latest released version (5.1 or newer) which adds ownership verification to payout queries.
  • If an immediate update is not possible, limit access to the /bmp-account-detail/ endpoint by modifying the server’s .htaccess or firewall to block direct requests to that URL for subscribers, or remove the "bmp_user" role from the subscriber role entirely.
  • As a temporary workaround, patch the plugin’s bmp_user_payout_detail_of_current_user() function to check that the payout record belongs to the current user before returning it.
  • Explicitly address CWE-639 by ensuring that any retrieval of payout data validates ownership before disclosure, guarding against insecure direct object references.

Generated by OpenCVE AI on April 22, 2026 at 00:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 3.0. This is due to the bmp_user_payout_detail_of_current_user() function selecting payout records solely by id without verifying ownership. This makes it possible for authenticated attackers with the bmp_user role (often subscribers) to view other members' payout summaries via direct requests to the /bmp-account-detail/ endpoint with a crafted payout-id parameter granted they can access the shortcode output. The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 5.0. This is due to the bmp_user_payout_detail_of_current_user() function selecting payout records solely by id without verifying ownership. This makes it possible for authenticated attackers with the bmp_user role (often subscribers) to view other members' payout summaries via direct requests to the /bmp-account-detail/ endpoint with a crafted payout-id parameter granted they can access the shortcode output.
Title Binary MLM Plan <= 3.0 - Authenticated (Subscriber+) Insecure Direct Object Reference Binary MLM Plan <= 5.0 - Authenticated (Subscriber+) Insecure Direct Object Reference

Mon, 20 Oct 2025 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 17 Oct 2025 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Oct 2025 09:45:00 +0000

Type Values Removed Values Added
Description The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 3.0. This is due to the bmp_user_payout_detail_of_current_user() function selecting payout records solely by id without verifying ownership. This makes it possible for authenticated attackers with the bmp_user role (often subscribers) to view other members' payout summaries via direct requests to the /bmp-account-detail/ endpoint with a crafted payout-id parameter granted they can access the shortcode output.
Title Binary MLM Plan <= 3.0 - Authenticated (Subscriber+) Insecure Direct Object Reference
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:15:11.474Z

Reserved: 2025-10-16T20:57:22.475Z

Link: CVE-2025-11895

cve-icon Vulnrichment

Updated: 2025-10-17T13:05:23.240Z

cve-icon NVD

Status : Deferred

Published: 2025-10-17T10:15:33.907

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-11895

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:45:04Z

Weaknesses