Medium severity4.3NVD Advisory· Published Oct 17, 2025· Updated Apr 15, 2026
CVE-2025-11895
CVE-2025-11895
Description
The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 5.0. This is due to the bmp_user_payout_detail_of_current_user() function selecting payout records solely by id without verifying ownership. This makes it possible for authenticated attackers with the bmp_user role (often subscribers) to view other members' payout summaries via direct requests to the /bmp-account-detail/ endpoint with a crafted payout-id parameter granted they can access the shortcode output.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=5.0+ 1 more
- (no CPE)range: <=5.0
- (no CPE)range: <=5.0
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.