CVE-2025-32574 is a high-severity SQL Injection vulnerability (CWE-89) affecting the mojoomla WPGYM WordPress plugin. The vulnerability arises from improper neutralization of special elements used in SQL commands, allowing an attacker with at least low privileges (PR:L) to inject malicious SQL code remotely (AV:N) without requiring user interaction (UI:N). The vulnerability impacts all versions of WPGYM up to and including version 65.0. Exploitation of this flaw can lead to a partial compromise of confidentiality (C:H), as attackers may extract sensitive data from the backend database. The integrity impact is rated none (I:N), indicating that the vulnerability does not allow modification of data, but availability impact is low (A:L), suggesting limited disruption of service is possible. The vulnerability has a CVSS 3.1 score of 8.5, reflecting its high risk. The scope is changed (S:C), meaning the vulnerability affects components beyond the initially vulnerable component, potentially impacting the entire WordPress site environment. No known exploits are currently reported in the wild, and no official patches have been released yet. The vulnerability was reserved in April 2025 and published in July 2025. The root cause is insufficient sanitization or parameterization of SQL queries within the WPGYM plugin, which is used to manage gym-related content on WordPress sites. Attackers exploiting this vulnerability could extract sensitive user or business data stored in the database, potentially leading to data breaches or further attacks leveraging exposed information.

For European organizations using the WPGYM plugin, this vulnerability poses a significant risk to the confidentiality of their data, including customer information, membership details, and potentially payment data if stored in the same database. Given the high CVSS score and remote exploitability without user interaction, attackers could automate attacks to extract sensitive data. The changed scope indicates that the compromise could extend beyond the plugin itself, potentially affecting the entire WordPress site and associated services. This could lead to reputational damage, regulatory non-compliance (e.g., GDPR violations due to data leakage), and financial losses. Organizations in the fitness, wellness, and sports sectors that rely on WPGYM for their online presence are particularly vulnerable. Additionally, the lack of an official patch increases the window of exposure. The low availability impact suggests that service disruption is less likely, but data confidentiality breaches remain a critical concern.

European organizations should immediately audit their WordPress installations to identify the presence of the WPGYM plugin and its version. Until an official patch is released, they should consider temporarily disabling the plugin or restricting access to the WordPress admin interface to trusted IP addresses only. Implementing Web Application Firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting WPGYM can provide interim protection. Organizations should also review database user permissions to ensure the WordPress database user has the least privileges necessary, limiting potential data exposure. Monitoring logs for unusual SQL queries or access patterns related to the plugin is recommended. Once a patch becomes available, prompt application is critical. Additionally, organizations should conduct security awareness training for administrators to recognize and respond to potential exploitation attempts. Regular backups of the WordPress site and database should be maintained to enable recovery in case of compromise.