The vulnerability CVE-2025-3671 in the WPGYM - WordPress Gym Management System plugin arises from improper limitation of pathname inputs (CWE-22), specifically in the 'page' parameter. This flaw enables Local File Inclusion (LFI), allowing authenticated users with Subscriber-level privileges or higher to include arbitrary files from the server. Because the plugin does not properly sanitize or restrict the 'page' parameter, attackers can execute arbitrary PHP code by including crafted files, even when only 'safe' file types like images are uploaded. This can lead to bypassing access controls, unauthorized data disclosure, and remote code execution. A notable exploitation path involves chaining the LFI to include dashboard view files, which can be leveraged to reset Super Administrator passwords in WordPress Multisite setups, facilitating privilege escalation. The vulnerability affects all plugin versions up to and including 67.7.0. The CVSS v3.1 score is 8.8, reflecting high impact on confidentiality, integrity, and availability with network attack vector, low attack complexity, and requiring only low privileges without user interaction. No patches are currently linked, and no public exploits have been reported yet, but the risk is significant given the potential for full system compromise.

This vulnerability can have severe consequences for organizations using the WPGYM plugin. Attackers with minimal privileges can execute arbitrary code on the web server, potentially leading to full site compromise. This includes unauthorized access to sensitive customer data, manipulation or deletion of data, and disruption of service availability. In WordPress Multisite environments, the ability to reset Super Administrator passwords can lead to complete control over all sites in the network, amplifying the impact. The breach of confidentiality, integrity, and availability can damage organizational reputation, lead to regulatory penalties, and cause operational downtime. Since WordPress is widely used globally, and this plugin targets gym management systems which may hold personal and payment information, the threat extends to privacy violations and financial fraud risks. The ease of exploitation and lack of required user interaction increase the likelihood of targeted attacks and automated exploitation attempts.

Immediate mitigation steps include restricting access to the vulnerable plugin by limiting Subscriber-level user capabilities or disabling the plugin if feasible until a patch is available. Implement strict input validation and sanitization on the 'page' parameter to prevent path traversal and LFI attacks. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the 'page' parameter with path traversal patterns. Monitor logs for unusual file inclusion attempts or privilege escalation activities. For WordPress Multisite environments, enforce strong password policies and consider multi-factor authentication for administrators to reduce the risk of account takeover. Regularly backup site data and configurations to enable recovery in case of compromise. Engage with the vendor or community to obtain or develop patches and apply them promptly once available. Additionally, consider isolating the web server environment and running plugins with least privilege to limit the impact of potential exploitation.