Privilege Escalation Risk in Binary MLM Plan Plugin by WordPress
CVE-2025-10038

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Binary Mlm Plan
Vendor: CVE Published:; 15 October 2025

What is CVE-2025-10038?

The Binary MLM Plan plugin for WordPress contains a vulnerability that allows users to inadvertently gain increased privileges. Specifically, the bmp_user role is assigned the manage_bmp capability by default upon user registration via the plugin's form. This flaw can be exploited by unauthenticated attackers, enabling them to register for an account and subsequently manage the plugin's settings, posing a significant security risk to the WordPress site.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Binary MLM Plan * <= 3.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/binary-mlm-plan/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 15, 2025
Vulnerability Reserved
Sep 5, 2025

Credit

Jonas Benjamin Friedli

JSON

WordPress