CVE-2025-11895
BaseFortify
Publication date: 2025-10-17
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | binary_mlm_plan | 3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Binary MLM Plan plugin for WordPress (up to version 3.0) where the function bmp_user_payout_detail_of_current_user() retrieves payout records by ID without verifying if the requesting user owns those records. As a result, authenticated users with the bmp_user role can view other members' payout summaries by sending crafted requests to the /bmp-account-detail/ endpoint with a manipulated payout-id parameter.
How can this vulnerability impact me? :
The vulnerability allows authenticated users with limited privileges to access sensitive payout information of other users, potentially exposing confidential financial data. This unauthorized data disclosure can lead to privacy breaches and loss of trust among users of the affected WordPress site.