CVE-2025-6080

HIGH

WPGYM - Wordpress Gym Management System <67.7.0 - Privilege Escalation

Title source: llm
STIX 2.1

Description

The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to unauthorized admin account creation in all versions up to, and including, 67.7.0. This is due to the plugin not properly validating a user's capabilities prior to adding users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to create new users, including admins.

References (2)

Core 2

Scores

CVSS v3 8.8
EPSS 0.0029
EPSS Percentile 20.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-269
Status published
Products (1)
dasinfomedia/WPGYM - Wordpress Gym Management System < 67.7.0
Published Aug 16, 2025
Tracked Since Feb 18, 2026