{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11895", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-16T20:57:22.475Z", "datePublished": "2025-10-17T09:26:39.563Z", "dateUpdated": "2026-04-08T17:15:11.474Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:15:11.474Z"}, "affected": [{"vendor": "letscms", "product": "Binary MLM Plan", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 5.0. This is due to the bmp_user_payout_detail_of_current_user() function selecting payout records solely by id without verifying ownership. This makes it possible for authenticated attackers with the bmp_user role (often subscribers) to view other members' payout summaries via direct requests to the /bmp-account-detail/ endpoint with a crafted payout-id parameter granted they can access the shortcode output."}], "title": "Binary MLM Plan <= 5.0 - Authenticated (Subscriber+) Insecure Direct Object Reference", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/adba7d0c-29ca-49c5-ac75-bb79d62f6107?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/binary-mlm-plan/trunk/includes/bmp-hook-functions.php#L833"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-10-16T20:57:56.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-17T13:05:18.113366Z", "id": "CVE-2025-11895", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-17T13:05:27.926Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11895", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-17T13:05:18.113366Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-17T13:05:23.240Z"}}], "cna": {"title": "Binary MLM Plan <= 5.0 - Authenticated (Subscriber+) Insecure Direct Object Reference", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "letscms", "product": "Binary MLM Plan", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-16T20:57:56.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/adba7d0c-29ca-49c5-ac75-bb79d62f6107?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/binary-mlm-plan/trunk/includes/bmp-hook-functions.php#L833"}], "descriptions": [{"lang": "en", "value": "The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 5.0. This is due to the bmp_user_payout_detail_of_current_user() function selecting payout records solely by id without verifying ownership. This makes it possible for authenticated attackers with the bmp_user role (often subscribers) to view other members' payout summaries via direct requests to the /bmp-account-detail/ endpoint with a crafted payout-id parameter granted they can access the shortcode output."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:15:11.474Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11895", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:15:11.474Z", "dateReserved": "2025-10-16T20:57:22.475Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-17T09:26:39.563Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Binary MLM Plan plugin for WordPress is vulnerable to insecure direct object reference in versions up to, and including, 5.0. This is due to the bmp_user_payout_detail_of_current_user() function selecting payout records solely by id without verifying ownership. This makes it possible for authenticated attackers with the bmp_user role (often subscribers) to view other members' payout summaries via direct requests to the /bmp-account-detail/ endpoint with a crafted payout-id parameter granted they can access the shortcode output."}], "id": "CVE-2025-11895", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-17T10:15:33.907", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/binary-mlm-plan/trunk/includes/bmp-hook-functions.php#L833"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/adba7d0c-29ca-49c5-ac75-bb79d62f6107?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:43:10.834649+00:00", "value": {"mitigation_remediation": ["Update the Binary MLM Plan plugin to the latest released version (5.1 or newer) which adds ownership verification to payout queries.", "If an immediate update is not possible, limit access to the /bmp-account-detail/ endpoint by modifying the server\u2019s .htaccess or firewall to block direct requests to that URL for subscribers, or remove the \"bmp_user\" role from the subscriber role entirely.", "As a temporary workaround, patch the plugin\u2019s bmp_user_payout_detail_of_current_user() function to check that the payout record belongs to the current user before returning it.", "Explicitly address CWE-639 by ensuring that any retrieval of payout data validates ownership before disclosure, guarding against insecure direct object references."], "summary": {"action": "Apply Patch", "impact": "Unauthorized Payout Data Disclosure"}, "threat_synthesis": {"affected_systems": "Vendors: letscms. Product: Binary MLM Plan plugin for WordPress. Versions up to and including 5.0 are impacted. Any WordPress site that has installed this plugin and allows subscribers to view the shortcode output is vulnerable. Sites running the 5.1 or newer release are not affected.", "description_and_impact": "The Binary MLM Plan plugin is affected by an insecure direct object reference that allows any authenticated user with the \"bmp_user\" role, often subscribers, to obtain the payouts of other members. The vulnerability resides in the bmp_user_payout_detail_of_current_user() function, which retrieves payout records solely by their ID with no ownership check. An attacker can therefore craft a direct request to the /bmp-account-detail/ endpoint, passing a payout-id for another user, and receive that user\u2019s payout summary. This flaw enables unauthorized disclosure of confidential financial information of other members, but does not provide code execution or broader system compromise.", "risk_and_exploitability": "The CVSS score is 4.3, indicating a moderate risk. The EPSS score is less than 1%, suggesting a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. The exploit requires an authenticated user with the bmp_user role and access to the shortcode output; the attacker can then issue a straightforward HTTP GET request to /bmp-account-detail/?payout-id= to retrieve another member\u2019s data. No special infrastructure or administrative privileges beyond the role are needed, making the attack path relatively simple for any legitimate subscriber who wishes to view other users\u2019 payouts."}}}}, "created": "2025-10-20T13:22:04.981256+00:00", "updated": "2026-04-22T00:45:04.163638+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}