Plattform
wordpress
Komponente
wpgym
Behoben in
67.7.1
CVE-2025-6080 affects the WPGYM WordPress Gym Management System plugin, allowing authenticated attackers to create unauthorized admin accounts. This vulnerability stems from insufficient capability validation during user creation, enabling privilege escalation. Versions 0.0.0 through 67.7.0 are vulnerable. A patch is available from the vendor.
Successful exploitation of CVE-2025-6080 allows an attacker with Subscriber-level access or higher to create new administrator accounts within the WordPress site. This grants the attacker complete control over the website, including access to sensitive data, modification of content, installation of malicious plugins, and potentially access to the underlying server. The impact is significant, as it effectively bypasses standard WordPress user access controls and grants an attacker full administrative privileges. This could lead to data breaches, website defacement, and further compromise of the system.
This vulnerability has been publicly disclosed and assigned a HIGH CVSS score. While no public proof-of-concept (POC) has been widely reported, the ease of exploitation makes it a potential target for automated attacks. It is not currently listed on CISA KEV. Monitor WordPress security forums and vulnerability databases for updates.
Websites utilizing the WPGYM plugin, particularly those with a large number of users or lax user permission controls, are at risk. Shared hosting environments where multiple WordPress sites share the same server are also at increased risk, as a compromise on one site could potentially lead to exploitation of this vulnerability on other sites.
• wordpress / composer / npm:
wp plugin list | grep WPGYM• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status | grep WPGYM• wordpress / composer / npm:
wp user list --format=csv | grep "admin"disclosure
Exploit-Status
EPSS
0.07% (21% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-6080 is to upgrade to a patched version of the WPGYM plugin. Check the vendor's website for the latest version. If immediate upgrading is not possible due to compatibility concerns or breaking changes, consider restricting user roles and permissions to minimize the potential impact. Implement a Web Application Firewall (WAF) rule to block suspicious user creation attempts. Regularly review user accounts and permissions to identify any unauthorized accounts. After upgrade, confirm by logging into the WordPress admin panel and verifying that only authorized users have administrator privileges.
Actualice el plugin WPGYM a la última versión disponible para mitigar la vulnerabilidad. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de actualizar cualquier plugin. La actualización corregirá la falta de validación de capacidades, previniendo la creación no autorizada de cuentas de administrador.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-6080 is a HIGH severity vulnerability in the WPGYM WordPress plugin allowing authenticated attackers with Subscriber access to create unauthorized admin accounts, potentially granting them full control of the website.
If you are using WPGYM versions 0.0.0 through 67.7.0, you are potentially affected by this vulnerability. Check your plugin version and upgrade immediately.
Upgrade to the latest version of the WPGYM plugin available from the vendor's website. This patch addresses the capability validation issue.
While no widespread exploitation has been confirmed, the ease of exploitation makes it a potential target. Monitoring is recommended.
Check the WPGYM plugin's official website or WordPress plugin repository for the latest security advisory and patch information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.