CVE-2025-11895 identifies an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) in the Binary MLM Plan plugin for WordPress, versions up to and including 3.0. The root cause is the bmp_user_payout_detail_of_current_user() function, which fetches payout details based solely on a payout ID parameter without verifying that the requesting user owns the payout record. This insecure direct object reference (IDOR) allows authenticated users with the bmp_user role—typically subscribers—to access payout summaries of other users by sending crafted HTTP requests to the /bmp-account-detail/ endpoint with manipulated payout-id values. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 score is 4.3 (medium), reflecting low complexity in exploitation but limited impact confined to confidentiality loss of payout data. No integrity or availability impacts are noted. No patches or official fixes are currently linked, and no known exploits have been reported in the wild. The vulnerability was published on October 17, 2025, and assigned by Wordfence. This flaw highlights a common security oversight in multi-level marketing plugins where access control checks are insufficient, leading to unauthorized data exposure among users.

The primary impact of this vulnerability is unauthorized disclosure of sensitive payout information within the Binary MLM Plan plugin. Attackers with basic authenticated access can view other users' payout summaries, potentially exposing confidential financial data and undermining user privacy. This could lead to reputational damage for organizations using the plugin, loss of trust among users, and potential regulatory compliance issues related to data protection. While the vulnerability does not allow modification or deletion of data, the confidentiality breach could facilitate targeted social engineering or insider threats. The scope is limited to organizations using the affected plugin versions, but given WordPress's widespread use, the potential reach is significant. The requirement for authentication reduces the risk of widespread exploitation by anonymous attackers but does not eliminate insider threats or compromised accounts. No denial of service or data integrity impacts are associated with this vulnerability.

To mitigate CVE-2025-11895, organizations should immediately verify if they use the Binary MLM Plan plugin version 3.0 or earlier and plan to upgrade to a patched version once available. In the absence of an official patch, administrators should implement manual access control checks within the plugin code, ensuring that payout records are only accessible to their rightful owners by validating user ownership before data retrieval. Restricting the bmp_user role permissions to limit access to payout details or disabling the vulnerable shortcode output temporarily can reduce exposure. Monitoring access logs for unusual requests to the /bmp-account-detail/ endpoint with suspicious payout IDs can help detect exploitation attempts. Additionally, enforcing strong authentication and monitoring for compromised accounts will reduce the risk of insider abuse. Regular security audits of WordPress plugins and applying the principle of least privilege for user roles are recommended to prevent similar issues.