CVE Alert: CVE-2025-7049 – dasinfomedia – WPGYM – WordPress Gym Management System
CVE-2025-7049
The WPGYM – WordPress Gym Management System plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 67.7.0 via the ‘MJ_gmgt_gmgt_add_user’ function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the email, password, and other details of any user, including Administrator users.
AI Summary Analysis
Risk verdict
High risk: authenticated Subscriber+ users can escalate privileges to take over any account, including Administrators; no active exploitation indicators are reported, but patching should be prioritised when available.
Why this matters
Allows full control of the site user base and administration, enabling data exfiltration, site compromise, and persistence. Realistic attacker goals include seizing admin credentials, altering user access, and deploying further web shell or defacement.
Most likely attack path
Requires an authenticated Subscriber+ session exploiting a missing validation on a user-controlled key to bypass authorization. No user interaction needed and initial access is via standard web authenticated flows; attacker could rapidly convert low-privilege sessions into full admin capability and pivot within the WordPress admin space.
Who is most exposed
Sites running WPGYM on WordPress with Active Subscriber+ or higher accounts are at risk, particularly where admin accounts or user-management features are exposed to plugin functionality on public or semi-public endpoints.
Detection ideas
- Sudden changes to admin or other high-privilege user accounts (email/password/role).
- Creation of new admin-like users from unusual origins or at odd times.
- Repeated changes to user records via the affected function path or related API calls.
- Anomalous login activity from accounts with elevated privileges.
- Unusual edit histories around user management within the plugin.
Mitigation and prioritisation
- Patch: update to the fixed version as soon as vendor releases; treat as priority 2 unless KEV/EPSS criteria change.
- Compensating controls: enforce MFA for all admin/subscriber+ accounts; restrict admin-level changes to approved sessions; disable or limit the plugin’s user-management features until patched.
- Hardening: implement a WAF rule to monitor for suspicious user-key usage; restrict access to admin endpoints; review and prune unnecessary subscriber-level privileges.
- Change-management: deploy in staging first, verify no regressions, then rollout with monitoring; document rollback plan.
- Detection hardening: enable detailed auditing of user-Modifications and API calls related to account management.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
