WPGYM <= 67.7.0 - Ontbrekende autorisatie voor aanmaken beheerdersaccount
Platform
wordpress
Component
wpgym
Opgelost in
67.7.1
CVE-2025-6080 affects the WPGYM WordPress Gym Management System plugin, allowing authenticated attackers to create unauthorized admin accounts. This vulnerability stems from insufficient capability validation during user creation, enabling privilege escalation. Versions 0.0.0 through 67.7.0 are vulnerable. A patch is available from the vendor.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Impact en Aanvalsscenarioswordt vertaald…
Successful exploitation of CVE-2025-6080 allows an attacker with Subscriber-level access or higher to create new administrator accounts within the WordPress site. This grants the attacker complete control over the website, including access to sensitive data, modification of content, installation of malicious plugins, and potentially access to the underlying server. The impact is significant, as it effectively bypasses standard WordPress user access controls and grants an attacker full administrative privileges. This could lead to data breaches, website defacement, and further compromise of the system.
Uitbuitingscontextwordt vertaald…
This vulnerability has been publicly disclosed and assigned a HIGH CVSS score. While no public proof-of-concept (POC) has been widely reported, the ease of exploitation makes it a potential target for automated attacks. It is not currently listed on CISA KEV. Monitor WordPress security forums and vulnerability databases for updates.
Wie Loopt Risicowordt vertaald…
Websites utilizing the WPGYM plugin, particularly those with a large number of users or lax user permission controls, are at risk. Shared hosting environments where multiple WordPress sites share the same server are also at increased risk, as a compromise on one site could potentially lead to exploitation of this vulnerability on other sites.
Detectiestappenwordt vertaald…
• wordpress / composer / npm:
wp plugin list | grep WPGYM• wordpress / composer / npm:
wp plugin update --all• wordpress / composer / npm:
wp plugin status | grep WPGYM• wordpress / composer / npm:
wp user list --format=csv | grep "admin"Aanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.07% (21% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Laag — elk geldig gebruikersaccount is voldoende.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
- Integrity
- Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
- Availability
- Hoog — volledige crash of uitputting van resources. Totale denial of service.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2025-6080 is to upgrade to a patched version of the WPGYM plugin. Check the vendor's website for the latest version. If immediate upgrading is not possible due to compatibility concerns or breaking changes, consider restricting user roles and permissions to minimize the potential impact. Implement a Web Application Firewall (WAF) rule to block suspicious user creation attempts. Regularly review user accounts and permissions to identify any unauthorized accounts. After upgrade, confirm by logging into the WordPress admin panel and verifying that only authorized users have administrator privileges.
Hoe te verhelpenwordt vertaald…
Actualice el plugin WPGYM a la última versión disponible para mitigar la vulnerabilidad. Asegúrese de realizar una copia de seguridad completa de su sitio web antes de actualizar cualquier plugin. La actualización corregirá la falta de validación de capacidades, previniendo la creación no autorizada de cuentas de administrador.
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2025-6080 — Unauthorized Admin Creation in WPGYM?
CVE-2025-6080 is a HIGH severity vulnerability in the WPGYM WordPress plugin allowing authenticated attackers with Subscriber access to create unauthorized admin accounts, potentially granting them full control of the website.
Am I affected by CVE-2025-6080 in WPGYM?
If you are using WPGYM versions 0.0.0 through 67.7.0, you are potentially affected by this vulnerability. Check your plugin version and upgrade immediately.
How do I fix CVE-2025-6080 in WPGYM?
Upgrade to the latest version of the WPGYM plugin available from the vendor's website. This patch addresses the capability validation issue.
Is CVE-2025-6080 being actively exploited?
While no widespread exploitation has been confirmed, the ease of exploitation makes it a potential target. Monitoring is recommended.
Where can I find the official WPGYM advisory for CVE-2025-6080?
Check the WPGYM plugin's official website or WordPress plugin repository for the latest security advisory and patch information.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.