CVE-2025-3671
📋 TL;DR
The WPGYM WordPress plugin has a Local File Inclusion vulnerability that allows authenticated attackers with Subscriber-level access to include and execute arbitrary PHP files on the server. This can lead to remote code execution, data theft, and privilege escalation, particularly in WordPress Multisite environments where it can be used to reset Super Administrator passwords.
💻 Affected Systems
- WPGYM - WordPress Gym Management System
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via remote code execution, privilege escalation to Super Administrator in Multisite environments, and potential data exfiltration.
Likely Case
Unauthorized access to sensitive files, privilege escalation to administrator, and installation of backdoors or malware.
If Mitigated
Limited impact if proper file permissions and web application firewalls are in place, though some information disclosure may still occur.
🎯 Exploit Status
Exploitation requires authenticated access (Subscriber-level or higher). The vulnerability is well-documented with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 67.7.1 or later
Vendor Advisory: https://codecanyon.net/item/-wpgym-wordpress-gym-management-system/13352964
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WPGYM plugin and update to version 67.7.1 or later. 4. If auto-update is not available, download the latest version from the vendor and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the WPGYM plugin until patched
wp plugin deactivate wpgym
Web Application Firewall rule
linuxBlock requests containing suspicious 'page' parameter patterns
ModSecurity rule: SecRule ARGS:page "@rx \.\./" "id:1001,phase:2,deny,status:403,msg:'LFI attempt detected'"
🧯 If You Can't Patch
- Remove the WPGYM plugin entirely and use alternative gym management solutions
- Implement strict file permissions (chmod 644 for PHP files, chmod 755 for directories) and disable PHP execution in upload directories
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for WPGYM version. If version is 67.7.0 or lower, the system is vulnerable.Check Version:
wp plugin get wpgym --field=versionVerify Fix Applied:
Verify WPGYM plugin version is 67.7.1 or higher in WordPress admin panel. Test the 'page' parameter functionality to ensure proper input validation.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with 'page' parameter containing path traversal sequences (../, ..\)
- Multiple failed authentication attempts followed by successful Subscriber login and suspicious file inclusion requests
- Unusual file access patterns in web server logs
Network Indicators:
- HTTP POST/GET requests to WPGYM endpoints with manipulated 'page' parameters
- Traffic spikes to plugin-specific URLs followed by unusual outbound connections
SIEM Query:
source="web_server.log" AND (uri="*wpgym*" AND (param="*../*" OR param="*..\\*"))