CVE-2025-10038 identifies a privilege escalation vulnerability in the Binary MLM Plan plugin for WordPress, developed by letscms. The vulnerability stems from an incorrect privilege assignment (CWE-266) where the plugin's bmp_user role automatically grants the manage_bmp capability to any user who registers through the plugin's registration form. This capability allows users to manage the plugin's settings, which should normally be restricted to trusted administrators. Because the registration form is accessible without authentication, an attacker can create an account and immediately gain elevated privileges within the plugin context. This flaw affects all versions up to and including 3.0 of the plugin. The vulnerability is exploitable remotely without any user interaction or prior authentication, making it a network-exploitable issue. The impact includes unauthorized access to plugin management features, potentially allowing attackers to alter MLM plan configurations, disrupt business logic, or prepare for further attacks. The CVSS v3.1 base score is 6.5, indicating a medium severity with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N, meaning it is remotely exploitable with low attack complexity, no privileges or user interaction required, and impacts confidentiality and integrity but not availability. No patches or official fixes are currently listed, and no known exploits have been reported in the wild as of the publication date.

The vulnerability allows unauthenticated attackers to gain limited administrative control over the Binary MLM Plan plugin settings, which can lead to unauthorized modification of MLM configurations and potentially compromise the integrity of the affected WordPress site’s business logic. This can result in fraudulent manipulation of MLM plans, unauthorized data exposure related to MLM structures, or preparation for further attacks such as privilege escalation to full site admin or data exfiltration. While it does not directly impact availability, the integrity and confidentiality impacts can undermine trust and operational stability for organizations relying on this plugin for MLM management. Given WordPress’s widespread use, especially in e-commerce and MLM businesses, exploitation could lead to financial losses, reputational damage, and regulatory compliance issues. The ease of exploitation without authentication increases the risk of automated attacks targeting vulnerable sites.

Organizations should immediately audit their WordPress installations to identify the presence of the Binary MLM Plan plugin and its version. Until an official patch is released, administrators should consider disabling or uninstalling the plugin to prevent exploitation. If the plugin is essential, restrict access to the registration form by implementing additional authentication or CAPTCHA mechanisms to prevent automated registrations. Review and modify user roles and capabilities associated with the bmp_user role to remove the manage_bmp capability from newly registered users. Employ web application firewalls (WAFs) to detect and block suspicious registration attempts targeting this plugin. Monitor logs for unusual account creation and privilege usage patterns. Stay alert for official patches or updates from letscms and apply them promptly once available. Additionally, conduct regular security assessments and maintain least privilege principles for all WordPress roles and plugins.