vulnerability

WordPress Plugin: binary-mlm-plan: CVE-2025-10038: Incorrect Privilege Assignment

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
6	(AV:N/AC:L/Au:N/C:P/I:P/A:N)	Oct 14, 2025	Nov 7, 2025	Nov 7, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:N)

Published

Oct 14, 2025

Added

Nov 7, 2025

Modified

Nov 7, 2025

Description

The Binary MLM Plan plugin for WordPress is vulnerable to limited Privilege Escalation in all versions up to, and including, 3.0. This is due to bmp_user role granting all users with the manage_bmp capability by default upon registration through the plugin's form. This makes it possible for unauthenticated attackers to register and manage the plugin's settings.

Solution

binary-mlm-plan-plugin-cve-2025-10038

References

URL-https://www.cve.org/CVERecord?id=CVE-2025-10038
URL-https://www.wordfence.com/threat-intel/vulnerabilities/id/7951c8e4-b610-4cc4-ab27-4cfa78d72302?source=api-prod
CVE-2025-10038
https://attackerkb.com/topics/CVE-2025-10038
CWE-266

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today