The Binary MLM Plan plugin for WordPress is vulnerable to limited Privilege Escalation in all versions up to, and including, 3.0. This is due to bmp_user role granting all users with the manage_bmp capability by default upon registration through the plugins form. This makes it possible for unauthenticated attackers to register and manage the plugins settings.
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.