CVE-2025-7049

Name of the Vulnerable Software and Affected Versions: WPGYM - Wordpress Gym Management System plugin for WordPress versions prior to 67.7.1

Description: The plugin is susceptible to privilege escalation due to missing validation on a user-controlled key within the MJ gmgt gmgt add user function. Authenticated attackers with Subscriber-level access or higher can modify the email, password, and other details of any user, including administrators.

Recommendations: Update to version 67.7.1 or later. As a temporary workaround, restrict access to the MJ gmgt gmgt add user function until a patch is available.