Privilege Escalation Risk in Binary MLM Plan Plugin by WordPress
CVE-2025-10038

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Binary Mlm Plan
Vendor: CVE Published:; 15 October 2025

What is CVE-2025-10038?

The Binary MLM Plan plugin for WordPress contains a vulnerability that allows users to inadvertently gain increased privileges. Specifically, the bmp_user role is assigned the manage_bmp capability by default upon user registration via the plugin's form. This flaw can be exploited by unauthenticated attackers, enabling them to register for an account and subsequently manage the plugin's settings, posing a significant security risk to the WordPress site.

Affected Version(s)

Binary MLM Plan * <= 3.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/binary-mlm-plan/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 15, 2025
Vulnerability Reserved
Sep 5, 2025

Credit

Jonas Benjamin Friedli

JSON