PT-2025-42594 · WordPress · Binary Mlm Plan
Published
2025-10-17
·
Updated
2025-10-17
·
CVE-2025-11895
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Binary MLM Plan plugin for WordPress versions up to and including 3.0
Description
The Binary MLM Plan plugin for WordPress has an issue where an attacker can view payout summaries of other members. This occurs because the
bmp user payout detail of current user() function selects payout records using the payout-id parameter without checking if the current user has permission to view that record. An authenticated attacker with the bmp user role can make direct requests to the /bmp-account-detail/ API endpoint with a crafted payout-id parameter to access payout information they are not authorized to see.Recommendations
Update to a version of the Binary MLM Plan plugin for WordPress later than 3.0.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Binary Mlm Plan