CVE-2025-32549 – This vulnerability allows attackers to include ... (How to Fix)

📋 TL;DR

This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects all WPGYM WordPress plugin versions up to 65.0, enabling potential information disclosure and code execution.

💻 Affected Systems

Products:

WPGYM WordPress Plugin

Versions: All versions up to and including 65.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with WPGYM plugin active.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and website defacement.

🟠

Likely Case

Local file inclusion allowing sensitive file disclosure (configuration files, credentials) and limited code execution.

🟢

If Mitigated

Information disclosure limited to readable files if proper file permissions are configured.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP requests can trigger the vulnerability without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 65.0

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/gym-management/vulnerability/wordpress-wpgym-65-0-local-file-inclusion-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find WPGYM plugin
4. Click 'Update Now' if update available
5. If no update available, deactivate and remove plugin

🔧 Temporary Workarounds

Disable WPGYM Plugin

all

Temporarily disable the vulnerable plugin until patched version is available.

wp plugin deactivate wpgym

Restrict PHP Include Paths

linux

Configure PHP to restrict include paths to safe directories.

php_admin_value open_basedir "/var/www/html:/tmp"

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block LFI patterns
Restrict file system permissions to limit readable files

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel for WPGYM plugin version 65.0 or earlier.

Check Version:

wp plugin get wpgym --field=version

Verify Fix Applied:

Verify WPGYM plugin version is greater than 65.0 in WordPress admin.

📡 Detection & Monitoring

Log Indicators:

Unusual file path patterns in PHP error logs
Multiple requests to WPGYM endpoints with file parameters

Network Indicators:

HTTP requests containing file path traversal patterns to WPGYM endpoints

SIEM Query:

source="web_logs" AND uri="*wpgym*" AND (uri="*../*" OR uri="*/etc/*" OR uri="*/proc/*")

📊 Metadata

CVE ID: CVE-2025-32549

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-98

EPSS Score: 0.12% exploit probability (30.7th percentile)

Published: June 17, 2025

Last Updated: June 17, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/gym-management/vulnerability/wordpress-wpgym-65-0-local-file-inclusion-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32549, you might also want to check these: