Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPGYM allows Blind SQL Injection. This issue affects WPGYM: from n/a through 65.0.
Published: 2025-05-16
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper neutralization of special elements within SQL commands, enabling a blind SQL injection attack. An attacker can craft malicious input that is not properly validated, allowing them to execute arbitrary SQL queries against the database. The primary consequence is unauthorized access to sensitive data, including the potential to manipulate or delete database contents, and if extended, to compromise the application. The weakness is classified as CWE-89 and carries a CVSS score of 9.3, indicating a severe security flaw.

Affected Systems

The flaw affects the WordPress WPGYM plugin developed by Mojoomla. All plugin releases from the earliest version up to and including 65.0 are vulnerable. WordPress sites that have the WPGYM plugin installed in these versions are at risk.

Risk and Exploitability

Given the high CVSS score of 9.3 and the very low EPSS probability (<1%), the vulnerability is technically dangerous but exploitation likelihood is presently low. It is listed as not being part of the CISA Known Exploited Vulnerabilities catalog. The attack vector is inferred to be an external, authenticated or unauthenticated web request that targets the plugin’s input handling. An attacker would need to observe response changes (blind injection) to confirm the success of the injection. Once successful, the attacker can read or modify database content as permitted by the underlying database credentials used by WordPress.

Generated by OpenCVE AI on April 30, 2026 at 20:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPGYM plugin to the latest version (66.0 or later) where the issue is fixed.
  • If an upgrade cannot be applied immediately, disable or remove the WPGYM plugin to prevent exploitation.
  • Restrict the WordPress database user privileges so that the account used by the site has only the necessary permissions and cannot execute arbitrary queries.
  • Deploy a Web Application Firewall or similar filtering mechanism to detect and block SQL injection attempts targeting the plugin’s input fields.

Generated by OpenCVE AI on April 30, 2026 at 20:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-15489 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPGYM allows Blind SQL Injection. This issue affects WPGYM: from n/a through 65.0.
History

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPGYM gym-management allows Blind SQL Injection.This issue affects WPGYM: from n/a through < 67.8.0. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPGYM allows Blind SQL Injection. This issue affects WPGYM: from n/a through 65.0.
Title WordPress WPGYM plugin < 67.8.0 - SQL Injection vulnerability WordPress WPGYM Plugin <= 65.0 - SQL Injection vulnerability
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPGYM allows Blind SQL Injection. This issue affects WPGYM: from n/a through 65.0. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPGYM gym-management allows Blind SQL Injection.This issue affects WPGYM: from n/a through < 67.8.0.
Title WordPress WPGYM Plugin <= 65.0 - SQL Injection vulnerability WordPress WPGYM plugin < 67.8.0 - SQL Injection vulnerability
References

Fri, 16 May 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 May 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in mojoomla WPGYM allows Blind SQL Injection. This issue affects WPGYM: from n/a through 65.0.
Title WordPress WPGYM Plugin <= 65.0 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:26.345Z

Reserved: 2025-04-09T11:20:57.810Z

Link: CVE-2025-32643

cve-icon Vulnrichment

Updated: 2025-05-16T16:19:07.896Z

cve-icon NVD

Status : Deferred

Published: 2025-05-16T16:15:40.057

Modified: 2026-04-28T19:31:47.600

Link: CVE-2025-32643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T20:15:16Z

Weaknesses