PT-2025-33521 · WordPress · Wpgym - Wordpress Gym Management System
Thái An
·
Published
2025-08-16
·
Updated
2025-08-21
·
CVE-2025-3671
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
WPGYM - Wordpress Gym Management System plugin versions prior to 67.7.1
Description:
The WPGYM - Wordpress Gym Management System plugin for WordPress is susceptible to Local File Inclusion via the
page parameter. This allows authenticated attackers with Subscriber-level access or higher to include and execute arbitrary files on the server, potentially enabling the execution of PHP code. This can be leveraged to bypass access controls, obtain sensitive data, or achieve code execution, particularly when combined with the ability to upload and include files. Exploitation can also lead to privilege escalation, such as updating the passwords of Super Administrator accounts in Multisite environments.Recommendations:
Update the WPGYM - Wordpress Gym Management System plugin to version 67.7.1 or later.
Fix
LPE
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wpgym - Wordpress Gym Management System