CVE-2025-6080

Published: Aug 16, 2025Modified: Aug 18, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: security@wordfence.com (Secondary)

Description

The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to unauthorized admin account creation in all versions up to, and including, 67.7.0. This is due to the plugin not properly validating a user's capabilities prior to adding users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new users, including admins.

Related CWEs

CWE-269

Improper Privilege Management

The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

References (2)

https://codecanyon.net/item/-wpgym-wordpress-gym-management-system/13352964

Source: security@wordfence.com

https://www.wordfence.com/threat-intel/vulnerabilities/id/6f853657-1801-4d63-89b8-b2132212a205?source=cve

Source: security@wordfence.com

Timeline

No history available yet.