平台
wordpress
组件
gym-management
修复版本
65.0.1
CVE-2025-32643 describes a critical SQL Injection vulnerability discovered in the WPGYM WordPress plugin. This flaw allows attackers to perform blind SQL injection, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions of WPGYM prior to 67.8.0, and a patch has been released to address the issue.
The SQL Injection vulnerability in WPGYM allows an attacker to bypass security measures and directly interact with the database underlying the plugin. Because it is a blind SQL injection, the attacker must infer the data by observing the application's response to various SQL queries. This can be a time-consuming process, but successful exploitation could lead to the extraction of sensitive user data, including usernames, passwords, email addresses, and potentially even financial information if the plugin handles such data. Furthermore, an attacker could potentially modify data within the database, leading to data corruption or denial of service. The impact is particularly severe because WPGYM is a widely used plugin, increasing the potential attack surface.
CVE-2025-32643 was publicly disclosed on 2025-05-16. The vulnerability's CVSS score of 9.3 (CRITICAL) indicates a high probability of exploitation. While no public proof-of-concept (POC) code has been released at the time of writing, the nature of blind SQL injection makes it likely that such exploits will emerge. It is not currently listed on CISA KEV, but its severity warrants close monitoring. Active campaigns targeting WordPress plugins are common, so vigilance is advised.
Websites utilizing the WPGYM plugin, particularly those running older versions (prior to 67.8.0), are at significant risk. Shared hosting environments are especially vulnerable, as they often have limited control over plugin updates and security configurations. Sites that store sensitive user data through WPGYM are at the highest risk of data compromise.
• wordpress / composer / npm:
grep -r "SELECT .* FROM" /var/www/html/wp-content/plugins/wpgym/• wordpress / composer / npm:
wp plugin list --status=all | grep wpgym• wordpress / composer / npm:
wp plugin update wpgym --all• generic web: Check WordPress plugin directory for discussions about CVE-2025-32643 and potential exploitation attempts.
disclosure
漏洞利用状态
EPSS
0.23% (46% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-32643 is to immediately upgrade the WPGYM plugin to version 67.8.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious SQL injection attempts targeting the vulnerable endpoints. Specifically, look for patterns indicative of SQL injection, such as the use of single quotes, double quotes, semicolons, or SQL keywords. Regularly review WPGYM plugin configurations to ensure that database access is properly restricted and that user input is validated and sanitized. After upgrading, confirm the fix by attempting a known SQL injection payload against the vulnerable endpoint and verifying that it is blocked.
Update to version 67.8.0, or a newer patched version
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-32643 is a critical SQL Injection vulnerability affecting the WPGYM WordPress plugin, allowing attackers to potentially extract data from the database.
You are affected if you are using WPGYM versions prior to 67.8.0. Immediately check your plugin version and upgrade if necessary.
Upgrade the WPGYM plugin to version 67.8.0 or later. Consider implementing a WAF rule as a temporary mitigation if upgrading is not immediately possible.
While no active exploitation has been confirmed, the vulnerability's severity and the nature of blind SQL injection suggest a high likelihood of future exploitation.
Refer to the WPGYM plugin's official website or WordPress plugin repository for the latest security advisory and update information.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。