Binary MLM Plan WordPress Plugin Insecure Direct Object Reference Vulnerability

A vulnerability allowing insecure direct object reference has been identified in the Binary MLM Plan plugin for WordPress, affecting versions through 3.0. This vulnerability arises because the function 'bmp_user_payout_detail_of_current_user()' retrieves payout records based solely on the payout ID, without verifying ownership. As a result, authenticated users with the 'bmp_user' role, typically subscribers, can access other users' payout summaries by sending direct requests to the '/bmp-account-detail/' endpoint with a modified payout ID, provided they can view the shortcode output.

Impact

Exploitation of this vulnerability allows authenticated users to access and view payout details of other users, potentially leading to unauthorized disclosure of sensitive financial information.

Reproduction

To reproduce this vulnerability, an authenticated user with the 'bmp_user' role can send a request to the '/bmp-account-detail/' endpoint. The request must include a crafted payout ID parameter that corresponds to a payout record belonging to another user. This can be done by first accessing the '/bmp-account-detail/' endpoint to retrieve the current user's payout IDs, and then using one of these IDs to request payout details of another user.

Remediation

No patch is currently available for this vulnerability. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.