CVE-2025-3671 is a high-severity vulnerability affecting the WPGYM - Wordpress Gym Management System plugin developed by dasinfomedia. This vulnerability is classified as CWE-22, indicating an improper limitation of a pathname to a restricted directory, commonly known as a path traversal flaw. The issue exists in all versions up to and including 67.7.0 of the plugin and is exploitable via the 'page' parameter. An authenticated attacker with at least Subscriber-level access can exploit this Local File Inclusion (LFI) vulnerability to include arbitrary files on the server. This inclusion allows execution of arbitrary PHP code contained in those files, effectively enabling remote code execution (RCE). The vulnerability can be leveraged to bypass access controls and access sensitive data. Notably, the exploit can be chained to include various dashboard view files within the plugin. One such chained exploit enables updating the password of Super Administrator accounts in WordPress Multisite environments, resulting in privilege escalation to the highest administrative level. The vulnerability does not require user interaction beyond authentication, and the attack vector is network-based with low attack complexity. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability. There are no patches currently available, and no known exploits have been observed in the wild yet. However, the potential for severe damage, including full site compromise and administrative takeover, makes this a critical issue for affected WordPress sites using the WPGYM plugin.

For European organizations using the WPGYM plugin on their WordPress sites, this vulnerability poses a significant risk. Exploitation can lead to unauthorized disclosure of sensitive customer data, including personal and payment information, which is critical for gyms and fitness centers. The ability to execute arbitrary code and escalate privileges to Super Administrator level threatens the integrity and availability of the entire WordPress multisite network, potentially disrupting business operations. This could result in reputational damage, regulatory non-compliance (notably GDPR violations due to data breaches), financial losses from downtime or fraud, and increased remediation costs. Given the widespread use of WordPress and the popularity of fitness management solutions, the attack surface is considerable. The vulnerability's exploitation could also serve as a foothold for further lateral movement within an organization's IT infrastructure, amplifying the impact. European organizations with multisite WordPress deployments are particularly at risk due to the privilege escalation vector.

Immediate mitigation steps include restricting access to the WordPress admin dashboard to trusted IP addresses and enforcing strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of compromised subscriber accounts. Organizations should audit user roles and permissions to ensure minimal necessary privileges are assigned. Since no official patch is currently available, temporarily disabling or uninstalling the WPGYM plugin is advisable for high-risk environments. Web Application Firewalls (WAFs) should be configured to detect and block suspicious requests targeting the 'page' parameter to prevent path traversal attempts. Monitoring logs for unusual file inclusion attempts or privilege escalation activities is critical for early detection. Additionally, organizations should prepare for rapid patch deployment once a fix is released and consider isolating WordPress instances to limit potential lateral movement. Regular backups of the WordPress environment and database should be maintained to facilitate recovery in case of compromise.