An attacker can inject crafted SQL payloads into inputs accepted by the WPGYM plugin because special characters are not properly escaped before being incorporated into database queries. The flaw permits execution of arbitrary SQL commands, which can lead to reading of sensitive data, alteration of database contents, or even removal of data. The description does not detail specific data that could be accessed, but SQL injection inherently grants the attacker the ability to manipulate the database at the owner’s discretion.

WordPress installations that use the WPGYM plugin version 65.0 or earlier are impacted. The vulnerability is reported for all releases from the earliest to and including 65.0; therefore any site that has not upgraded past that version should be considered vulnerable.

The CVSS score of 8.5 indicates a high severity level. The EPSS score is below 1%, suggesting a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through web requests that send unsanitized input to the plugin’s interface, which may be accessible by authenticated users, site administrators, or guests who can manipulate plugin parameters. Successful exploitation would involve a crafted request that is executed as an SQL statement against the site’s database.