Medium severity6.5NVD Advisory· Published Oct 15, 2025· Updated Apr 15, 2026
CVE-2025-10038
CVE-2025-10038
Description
The Binary MLM Plan plugin for WordPress is vulnerable to limited Privilege Escalation in all versions up to, and including, 3.0. This is due to bmp_user role granting all users with the manage_bmp capability by default upon registration through the plugin's form. This makes it possible for unauthenticated attackers to register and manage the plugin's settings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=3.0
Patches
Vulnerability mechanics
References
4- plugins.trac.wordpress.org/changeset/3380455/binary-mlm-plan/tags/5.0/includes/admin/class-bmp-admin-menus.phpnvd
- plugins.trac.wordpress.org/changeset/3380455/binary-mlm-plan/tags/5.0/includes/bmp-hook-functions.phpnvd
- wordpress.org/plugins/binary-mlm-plan/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/7951c8e4-b610-4cc4-ab27-4cfa78d72302nvd
News mentions
0No linked articles in our index yet.