Description
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to SQL Injection via several parameters in the MJ_gmgt_delete_class_limit_for_member, MJ_gmgt_get_yearly_income_expense, MJ_gmgt_get_monthly_income_expense, MJ_gmgt_add_class_limit, MJ_gmgt_view_meeting_detail, and MJ_gmgt_create_meeting functions in all versions up to 67.8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-07-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection leading to data disclosure
Action: Immediate Patch
AI Analysis

Impact

The WPGYM – Wordpress Gym Management System is vulnerable to SQL Injection through several parameters in functions such as MJ_gmgt_delete_class_limit_for_member, MJ_gmgt_get_yearly_income_expense, MJ_gmgt_get_monthly_income_expense, MJ_gmgt_add_class_limit, MJ_gmgt_view_meeting_detail, and MJ_gmgt_create_meeting. The flaw results from insufficient escaping of user‑supplied data and lack of prepared statements, allowing unauthenticated attackers to append malicious SQL fragments to existing queries and extract sensitive database contents.

Affected Systems

The vulnerability affects the dasinfomedia WPGYM – Wordpress Gym Management System plugin, specifically all releases up to and including version 67.8.0.

Risk and Exploitability

With a CVSS score of 7.5 the vulnerability poses a moderate to high severity risk. The EPSS score of <1% indicates a low but non‑zero likelihood of exploitation, and the flaw is not currently listed in the CISA KEV catalog. It is inferred that attackers can likely exploit the flaw remotely by sending crafted requests to the plugin’s exposed endpoints, even without authenticating to the WordPress installation.

Generated by OpenCVE AI on April 21, 2026 at 19:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WPGYM plugin to a version newer than 67.8.0, which removes the vulnerable code paths.
  • If an immediate update is not possible, block unauthenticated access to the affected AJAX endpoints using a security plugin or firewall rule to prevent exploitation.
  • Deploy a Web Application Firewall or enable WAF rules that detect and block SQL injection patterns targeting the plugin’s endpoints.

Generated by OpenCVE AI on April 21, 2026 at 19:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-21115 The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to SQL Injection via several parameters in the MJ_gmgt_delete_class_limit_for_member, MJ_gmgt_get_yearly_income_expense, MJ_gmgt_get_monthly_income_expense, MJ_gmgt_add_class_limit, MJ_gmgt_view_meeting_detail, and MJ_gmgt_create_meeting functions in all versions up to 67.8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Fri, 11 Jul 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00064}

Fri, 11 Jul 2025 07:30:00 +0000

Type Values Removed Values Added
Description The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to SQL Injection via several parameters in the MJ_gmgt_delete_class_limit_for_member, MJ_gmgt_get_yearly_income_expense, MJ_gmgt_get_monthly_income_expense, MJ_gmgt_add_class_limit, MJ_gmgt_view_meeting_detail, and MJ_gmgt_create_meeting functions in all versions up to 67.8.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title WPGYM - Wordpress Gym Management System < 67.8.0 - Unauthenticated SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Dasinfomedia Wpgym Gym Management System
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:29:45.275Z

Reserved: 2025-07-10T19:17:33.836Z

Link: CVE-2025-7442

cve-icon Vulnrichment

Updated: 2025-07-11T15:39:03.997Z

cve-icon NVD

Status : Deferred

Published: 2025-07-11T08:15:24.590

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7442

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T19:45:16Z

Weaknesses