CVE-2025-6080 - Vulnerability Details

- WPGYM <= 67.7.0 - Missing Authorization to Admin Account Creation

Description

The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to unauthorized admin account creation in all versions up to, and including, 67.7.0. This is due to the plugin not properly validating a user's capabilities prior to adding users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new users, including admins.

Published: 2025-08-16

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in the WPGYM plugin allows an authenticated user with Subscriber-level access to create new WordPress users, including administrators, because the plugin does not enforce proper capability checks before adding users. This oversight is a classic privilege escalation flaw (CWE-269) that can give an attacker full control over the site, enabling data exfiltration, site defacement, or further attacks. The impact is a compromise of confidentiality, integrity, and availability for the entire WordPress installation.

Affected Systems

The flaw exists in the WPGYM – Wordpress Gym Management System plugin for WordPress versions up to and including 67.7.0. Users operating these versions should consider themselves at risk until they are upgraded.

Risk and Exploitability

The vulnerability scores 8.8 on the CVSS scale, indicating a high severity. The EPSS score is below 1%, suggesting that exploitation is currently unlikely but still possible. The attacker must be authenticated and have at least Subscriber permissions, then can exploit the plugin’s user-creation functionality to inject admin accounts. The vulnerability is not listed in the CISA KEV catalog, but given its high impact, it warrants immediate attention.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

dasinfomedia

WPGYM - Wordpress Gym Management System

unaffected

Version	Status	Constraints
`0`	affected	≤ 67.7.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the WPGYM plugin to version 67.7.1 or later to receive the official capability check fix.
Restrict user creation permissions so that only administrators can add new accounts, either by reviewing WordPress role capabilities or by using a role‑management plugin.
Review existing user accounts for unexpected administrator entries and remove any that were added without proper authorization.

Generated by OpenCVE AI on April 21, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-25065	The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to unauthorized admin account creation in all versions up to, and including, 67.7.0. This is due to the plugin not properly validating a user's capabilities prior to adding users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new users, including admins.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00092.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://codecanyon.net/item/-wpgym-wordpress-gym-management-system/13352964
https://www.wordfence.com/threat-intel/vulnerabilities/id/6f853657-1801-4d63-89b8-b2132212a205?source=cve

History

Mon, 18 Aug 2025 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Sat, 16 Aug 2025 03:45:00 +0000

Type	Values Removed	Values Added
Description		The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to unauthorized admin account creation in all versions up to, and including, 67.7.0. This is due to the plugin not properly validating a user's capabilities prior to adding users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new users, including admins.
Title		WPGYM <= 67.7.0 - Missing Authorization to Admin Account Creation
Weaknesses		CWE-269
References		https://codecanyon.net/item/-wpgym-wordpress-gym-management-system/13352964 https://www.wordfence.com/threat-intel/vulnerabilities/id/6f853657-1801-4d63-89b8-b2132212a205?source=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-08-16T03:38:50.216Z

Updated: 2026-04-08T16:59:57.053Z

Reserved: 2025-06-13T17:08:37.410Z

Link: CVE-2025-6080

Vulnrichment

Updated: 2025-08-18T13:36:46.116Z

NVD

Status : Deferred

Published: 2025-08-16T04:15:58.867

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-6080

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T19:30:06Z

Weaknesses

CWE-269

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object