CVE-2025-3671 is a critical vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as Path Traversal) affecting the WPGYM - Wordpress Gym Management System plugin developed by dasinfomedia. This vulnerability exists in all versions up to and including 67.7.0 of the plugin. The flaw resides in the handling of the 'page' parameter, which allows authenticated users with Subscriber-level access or higher to perform Local File Inclusion (LFI) attacks. Through this, attackers can include arbitrary files from the server and execute PHP code contained within those files. This capability enables attackers to bypass access controls, extract sensitive information, and execute arbitrary code on the server. Notably, the vulnerability can be exploited even when only “safe” file types such as images are uploaded, as these files can be included and executed via the LFI. Furthermore, the exploit can be chained to include various dashboard view files within the plugin. A particularly dangerous exploitation path involves updating the password of Super Administrator accounts in WordPress Multisite environments, thereby enabling privilege escalation to the highest administrative level. The vulnerability has a CVSS v3.1 score of 8.8, indicating high severity, with an attack vector that is network-based, low attack complexity, requiring only low privileges (Subscriber), no user interaction, and impacting confidentiality, integrity, and availability at a high level. Although no public exploits are currently known in the wild, the potential for damage is significant given the widespread use of WordPress and the plugin’s role in managing gym memberships and related data.

For European organizations using the WPGYM plugin, this vulnerability poses a substantial risk. Successful exploitation could lead to unauthorized access to sensitive customer data, including personal and payment information, which would have severe privacy and regulatory implications under GDPR. The ability to escalate privileges to Super Administrator level in WordPress Multisite setups could allow attackers to control entire networks of sites, potentially disrupting business operations, defacing websites, or deploying malware. This could result in reputational damage, financial loss, and legal consequences. Given that gyms and fitness centers often handle membership and health-related data, the breach could also affect user trust and compliance with data protection laws. The vulnerability’s exploitation could also be used as a foothold for lateral movement within an organization’s IT infrastructure if the WordPress installation is integrated with other internal systems.

Immediate mitigation steps include updating the WPGYM plugin to a patched version once released by dasinfomedia. Until a patch is available, organizations should restrict access to the WordPress admin dashboard to trusted IP addresses and enforce strong authentication mechanisms to limit the risk from low-privilege users. Implementing Web Application Firewalls (WAFs) with rules to detect and block path traversal attempts targeting the 'page' parameter can provide a temporary defense. Administrators should audit user roles and remove unnecessary Subscriber-level accounts or restrict their capabilities. Monitoring server logs for unusual file inclusion attempts and scanning for unauthorized file uploads is critical. For multisite environments, closely monitor Super Administrator account activities and consider additional hardening such as two-factor authentication. Regular backups and incident response plans should be in place to recover quickly if exploitation occurs. Finally, organizations should conduct security assessments of their WordPress environment to identify and remediate similar vulnerabilities.