WPGYM <= 67.7.0 - Absence d'autorisation pour la création de compte Administrateur
Plateforme
wordpress
Composant
wpgym
Corrigé dans
67.7.1
CVE-2025-6080 affects the WPGYM WordPress Gym Management System plugin, allowing authenticated attackers to create unauthorized admin accounts. This vulnerability stems from insufficient capability validation during user creation, enabling privilege escalation. Versions 0.0.0 through 67.7.0 are vulnerable. A patch is available from the vendor.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Impact et Scénarios d'Attaquetraduction en cours…
Successful exploitation of CVE-2025-6080 allows an attacker with Subscriber-level access or higher to create new administrator accounts within the WordPress site. This grants the attacker complete control over the website, including access to sensitive data, modification of content, installation of malicious plugins, and potentially access to the underlying server. The impact is significant, as it effectively bypasses standard WordPress user access controls and grants an attacker full administrative privileges. This could lead to data breaches, website defacement, and further compromise of the system.
Contexte d'Exploitationtraduction en cours…
This vulnerability has been publicly disclosed and assigned a HIGH CVSS score. While no public proof-of-concept (POC) has been widely reported, the ease of exploitation makes it a potential target for automated attacks. It is not currently listed on CISA KEV. Monitor WordPress security forums and vulnerability databases for updates.
Qui Est à Risquetraduction en cours…
Websites utilizing the WPGYM plugin, particularly those with a large number of users or lax user permission controls, are at risk. Shared hosting environments where multiple WordPress sites share the same server are also at increased risk, as a compromise on one site could potentially lead to exploitation of this vulnerability on other sites.
Étapes de Détectiontraduction en cours…
• wordpress / composer / npm:
wp plugin list | grep WPGYM• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status | grep WPGYM• wordpress / composer / npm:
wp user list --format=csv | grep "admin"Chronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.07% (percentile 21%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Faible — tout compte utilisateur valide est suffisant.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2025-6080 is to upgrade to a patched version of the WPGYM plugin. Check the vendor's website for the latest version. If immediate upgrading is not possible due to compatibility concerns or breaking changes, consider restricting user roles and permissions to minimize the potential impact. Implement a Web Application Firewall (WAF) rule to block suspicious user creation attempts. Regularly review user accounts and permissions to identify any unauthorized accounts. After upgrade, confirm by logging into the WordPress admin panel and verifying that only authorized users have administrator privileges.
Comment corrigertraduction en cours…
Actualice el plugin WPGYM a la última versión disponible para mitigar la vulnerabilidad. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de actualizar cualquier plugin. La actualización corregirá la falta de validación de capacidades, previniendo la creación no autorizada de cuentas de administrador.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2025-6080 — Unauthorized Admin Creation in WPGYM?
CVE-2025-6080 is a HIGH severity vulnerability in the WPGYM WordPress plugin allowing authenticated attackers with Subscriber access to create unauthorized admin accounts, potentially granting them full control of the website.
Am I affected by CVE-2025-6080 in WPGYM?
If you are using WPGYM versions 0.0.0 through 67.7.0, you are potentially affected by this vulnerability. Check your plugin version and upgrade immediately.
How do I fix CVE-2025-6080 in WPGYM?
Upgrade to the latest version of the WPGYM plugin available from the vendor's website. This patch addresses the capability validation issue.
Is CVE-2025-6080 being actively exploited?
While no widespread exploitation has been confirmed, the ease of exploitation makes it a potential target. Monitoring is recommended.
Where can I find the official WPGYM advisory for CVE-2025-6080?
Check the WPGYM plugin's official website or WordPress plugin repository for the latest security advisory and patch information.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.