Description
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 67.7.0 via the 'page' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. The Local File Inclusion exploit can be chained to include various dashboard view files in the plugin. One in particular reported by the researcher can be leveraged to update the password of Super Administrator accounts in Multisite environments making privilege escalation possible.
Published: 2025-08-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch
AI Analysis

Impact

The WPGYM plugin is vulnerable to Local File Inclusion through the "page" parameter. An authenticated user with Subscriber-level access and above can include and execute arbitrary files on the server. Because the vulnerable files can be uploaded as seemingly safe types, an attacker can execute any PHP code. This ability can be used to bypass access controls, read sensitive data, or launch further attacks. In Multisite environments, the LFI can be chained to a dashboard view file that updates the password of Super Administrator accounts, providing a direct path to privilege escalation.

Affected Systems

The issue affects installations of the WPGYM – Wordpress Gym Management System plugin up to and including version 67.7.0. Any WordPress site using the plugin, whether a single‑site or multisite network, is potentially impacted. The plugin is distributed by dasinfomedia under the WPGYM product name.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog. Attackers must be authenticated with at least Subscriber privileges and must supply a crafted "page" parameter value. Once the inclusion succeeds, the attacker can execute arbitrary PHP, potentially compromising the host and escalating privileges by altering Super Admin passwords in Multisite sites.

Generated by OpenCVE AI on April 22, 2026 at 00:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WPGYM plugin to a version newer than 67.7.0 or apply the vendor’s official fix
  • If an update is not immediately available, deactivate or uninstall the plugin to prevent the LFI path
  • Restrict the "page" request parameter and uploaded file types via WordPress or server configuration to block inclusion of arbitrary files

Generated by OpenCVE AI on April 22, 2026 at 00:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25067 The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 67.7.0 via the 'page' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. The Local File Inclusion exploit can be chained to include various dashboard view files in the plugin. One in particular reported by the researcher can be leveraged to update the password of Super Administrator accounts in Multisite environments making privilege escalation possible.
History

Sun, 24 Aug 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Dasinfomedia
Dasinfomedia wpgym Gym Management System
Wordpress
Wordpress wordpress
Vendors & Products Dasinfomedia
Dasinfomedia wpgym Gym Management System
Wordpress
Wordpress wordpress

Mon, 18 Aug 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 16 Aug 2025 03:45:00 +0000

Type Values Removed Values Added
Description The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 67.7.0 via the 'page' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. The Local File Inclusion exploit can be chained to include various dashboard view files in the plugin. One in particular reported by the researcher can be leveraged to update the password of Super Administrator accounts in Multisite environments making privilege escalation possible.
Title WPGYM - Wordpress Gym Management System <= 67.7.0 - Authenticated (Subscriber+) Local File Inclusion to Privilege Escalation via Password Update
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Dasinfomedia Wpgym Gym Management System
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:57:44.648Z

Reserved: 2025-04-15T22:04:45.953Z

Link: CVE-2025-3671

cve-icon Vulnrichment

Updated: 2025-08-18T13:37:04.255Z

cve-icon NVD

Status : Deferred

Published: 2025-08-16T04:15:57.460

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-3671

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:00:04Z

Weaknesses