Skip to main content
CVE Vulnerability Database

CVE-2025-7049: WPGYM Plugin Privilege Escalation Flaw

CVE-2025-7049 is a privilege escalation vulnerability in the WPGYM WordPress Gym Management System plugin, allowing subscriber-level attackers to modify administrator credentials. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2025-7049 Overview

CVE-2025-7049 is a privilege escalation vulnerability in the WPGYM - WordPress Gym Management System plugin. The flaw affects all versions up to and including 67.7.0. The vulnerability resides in the MJ_gmgt_gmgt_add_user function, which fails to validate a user-controlled key before modifying account data. Authenticated attackers with Subscriber-level access or above can change the email address, password, and other details of any user, including Administrator accounts. The weakness is classified under CWE-639 (Authorization Bypass Through User-Controlled Key).

Critical Impact

An authenticated Subscriber can hijack Administrator accounts by resetting credentials, leading to full site takeover.

Affected Products

  • WPGYM - WordPress Gym Management System plugin, all versions through 67.7.0
  • WordPress sites running the plugin with open user registration or any Subscriber-level access
  • Sold via Codecanyon Gym Management System

Discovery Timeline

  • 2025-09-10 - CVE-2025-7049 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-7049

Vulnerability Analysis

The vulnerability is an Insecure Direct Object Reference (IDOR) leading to privilege escalation. The MJ_gmgt_gmgt_add_user function in the WPGYM plugin accepts a user identifier supplied in the request without verifying that the requester owns or is permitted to modify the referenced account. The function then proceeds to update sensitive fields, including the target account's email address and password. Because WordPress uses email-based password reset flows, an attacker who alters an Administrator's email can subsequently trigger a reset and gain full control. The plugin grants this behavior to any authenticated session, so the lowest privileged role on the site, Subscriber, is sufficient to exploit it.

Root Cause

The root cause is missing authorization on a user-controlled key, mapping to [CWE-639]. The plugin trusts the user identifier passed in the request and performs account modifications without checking the current user's capabilities against the target account. There is no current_user_can() gate, no nonce-bound ownership check, and no role comparison between requester and target.

Attack Vector

Exploitation requires network access to the WordPress site and an authenticated session at Subscriber level or higher. The attacker submits a request to the plugin endpoint that invokes MJ_gmgt_gmgt_add_user, supplying the target user's ID along with new email and password values. The server applies the changes, after which the attacker logs in as the hijacked Administrator. No social engineering or victim interaction is required.

No public proof-of-concept code has been published. See the Wordfence Vulnerability Report for additional technical context.

Detection Methods for CVE-2025-7049

Indicators of Compromise

  • Unexpected changes to user_email or user_pass fields in the wp_users table for Administrator accounts
  • New Administrator accounts created shortly after Subscriber-level logins
  • WordPress password_reset or email_changed notification emails sent to addresses not controlled by legitimate administrators
  • Login activity from Subscriber accounts immediately followed by privileged actions

Detection Strategies

  • Audit WordPress logs and database for modifications to Administrator accounts originating from low-privileged sessions
  • Monitor HTTP POST requests targeting WPGYM endpoints that invoke MJ_gmgt_gmgt_add_user with user_id parameters referencing privileged accounts
  • Deploy a Web Application Firewall (WAF) rule that blocks requests to the vulnerable handler unless the requester is an Administrator
  • Correlate plugin activity with role changes using a SIEM that ingests WordPress audit logs

Monitoring Recommendations

  • Enable WordPress activity logging plugins to capture user profile changes with the acting user ID
  • Forward web server access logs and PHP error logs to a centralized log platform for retention and correlation
  • Alert on any password or email change applied to a wp_capabilities value containing administrator
  • Track first-time POST requests to plugin AJAX or admin-post handlers from non-admin sessions

How to Mitigate CVE-2025-7049

Immediate Actions Required

  • Update the WPGYM - WordPress Gym Management System plugin to a version later than 67.7.0 once the vendor releases a fix
  • If no patched version is available, deactivate and remove the plugin until a fix is published
  • Force a password reset for all Administrator accounts and review their registered email addresses
  • Disable open user registration (Settings > General > Membership) to reduce the attacker pool

Patch Information

At the time of NVD publication, no fixed version is identified in the advisory. Site operators should monitor the Wordfence Vulnerability Report and the vendor listing on Codecanyon for an updated release.

Workarounds

  • Remove the plugin from production sites until a patched release is verified
  • Restrict access to /wp-admin/admin-ajax.php and /wp-admin/admin-post.php endpoints handling WPGYM actions via WAF rules
  • Limit the creation of Subscriber accounts and require administrator approval for new registrations
  • Apply the principle of least privilege by auditing all existing accounts and downgrading unused Administrator roles
bash
# Example: temporarily disable the WPGYM plugin via WP-CLI
wp plugin deactivate wpgym
wp plugin list --status=active --field=name

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.