WordPress
CVE-2025-10038
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Binary MLM Plan plugin for WordPress is vulnerable to limited Privilege Escalation in all versions up to, and including, 3.0. This is due to bmp_user role granting all users with the manage_bmp capability by default upon registration through the plugin's form. This makes it possible for unauthenticated attackers to register and manage the plugin's settings.
AnalysisAI
Binary MLM Plan plugin for WordPress versions up to 3.0 grants the manage_bmp capability to all users upon registration, allowing unauthenticated attackers to register via the plugin's form and immediately escalate privileges to manage plugin settings. This privilege escalation affects all installations with the vulnerable plugin active, with a CVSS score of 6.5 reflecting moderate confidentiality and integrity impact. No public exploit code or active exploitation has been confirmed at the time of analysis.
Technical ContextAI
The vulnerability stems from improper privilege management during user registration (CWE-266: Improper Privilege Assignment). The Binary MLM Plan plugin uses a custom WordPress role, bmp_user, which is assigned the manage_bmp capability by default when any user registers through the plugin's registration form. In WordPress, capabilities are typically restricted to authenticated administrators; however, this implementation grants management capabilities to newly registered users automatically. The affected code paths include the role assignment logic in class-bmp-admin-menus.php and the hook functions in bmp-hook-functions.php, as evidenced by the changeset comparisons between version 3.0 and version 5.0. The vulnerability affects the Binary MLM Plan plugin across all versions including and prior to version 3.0, identified via CPE wordpress#binary-mlm-plan plugin.
Affected ProductsAI
The Binary MLM Plan plugin for WordPress is affected in all versions up to and including version 3.0. The vendor released a patched version 5.0, as evidenced by the changeset comparisons provided by the WordPress plugins repository. Affected installations can be identified by the presence of the binary-mlm-plan plugin with a version number less than or equal to 3.0 in their WordPress plugin directory. The plugin's public repository is available at https://wordpress.org/plugins/binary-mlm-plan/.
RemediationAI
The primary remediation is to upgrade the Binary MLM Plan plugin to version 5.0 or later, which contains fixes to the role assignment logic and removes the automatic grant of manage_bmp capability upon registration. Site administrators should immediately visit their WordPress admin dashboard, navigate to Plugins, and update the Binary MLM Plan plugin to the latest available version. If immediate patching is not feasible, administrators should disable the plugin's registration form or restrict access to the plugin's settings pages using alternative authentication mechanisms until an upgrade is completed. For additional details and confirmation of the patch, refer to the official plugin repository and the Wordfence vulnerability advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/7951c8e4-b610-4cc4-ab27-4cfa78d72302.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today