UNKNOWN (0.0)
    Plugin

    Insecure Direct Object Reference in Binary MLM Plan Plugin

    Published Date: 10/17/2025
    CVE ID: CVE-2025-11895

    Summary

    The Binary MLM Plan plugin vulnerability arises from an insecure direct object reference, allowing authenticated users with the bmp_user role to access other users' payout details. This flaw is present in versions up to and including 3.0 and involves improper access controls in the payout detail function.

    Vulnerability Details

    The vulnerability occurs in the Binary MLM Plan plugin due to the bmp_user_payout_detail_of_current_user() function, which retrieves payout records based solely on the provided ID. This implementation lacks proper access controls or checks to ensure that the requesting user owns or is entitled to the payout record being accessed. As a result, authenticated attackers with bmp_user roles, who are typically subscribers, can exploit this flaw by crafting requests to the /bmp-account-detail/ endpoint. By manipulating the payout-id parameter in these requests, they can view information meant for other users. Such exposure of sensitive information can lead to privacy violations and trust issues among users of the platform. The vulnerability highlights the critical importance of implementing authorization checks based on user ownership of resources before granting access.

    Recommendations

    To mitigate this vulnerability, site administrators should immediately restrict access to the /bmp-account-detail/ endpoint to ensure that only authorized, correct users can request and view specific payout details. Implementing strong input validation and ensuring thorough ownership verification checks are necessary before fulfilling any requests for sensitive user information. Regularly reviewing and updating plugin security configurations is advisable.

    Available Fixes

    Last Updated: 10/19/2025
    Jedar

    Jedar for Digital Rights is a non-profit organization dedicated to protecting digital freedoms, enhancing online privacy, and promoting secure digital practices for vulnerable communities worldwide.

    Follow Us

    All Rights Reserved © 2025 Jedar for Digital Rights.

    Cookie Preferences

    We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

    Learn More