CVE-2025-6080 is a critical security vulnerability identified in the WPGYM - Wordpress Gym Management System plugin developed by dasinfomedia. This plugin is widely used to manage gym memberships, schedules, and related administrative tasks within WordPress environments. The vulnerability stems from improper privilege management (CWE-269), where the plugin fails to correctly validate user capabilities before allowing the creation of new user accounts. Specifically, any authenticated user with Subscriber-level access or higher can exploit this flaw to create new user accounts, including those with administrative privileges. This bypasses the intended access control mechanisms, enabling privilege escalation without requiring administrator intervention or additional user interaction. The vulnerability affects all versions up to and including 67.7.0 of the plugin. The CVSS v3.1 base score is 8.8, indicating a high severity level, with attack vector being network-based, low attack complexity, and no user interaction required. The impact on confidentiality, integrity, and availability is high, as attackers can gain full administrative control over the WordPress site, potentially leading to data theft, site defacement, or complete site takeover. No known exploits have been reported in the wild yet, and no official patches have been released at the time of this report. The vulnerability was publicly disclosed on August 16, 2025, and was reserved in June 2025 by Wordfence. Given the widespread use of WordPress and the popularity of the WPGYM plugin among fitness businesses, this vulnerability poses a significant risk to affected sites globally.

For European organizations, the impact of CVE-2025-6080 can be severe, especially for businesses in the fitness and wellness sector that rely on the WPGYM plugin to manage memberships and client data. Unauthorized administrative access can lead to exposure of sensitive personal data, including membership details, payment information, and health-related data, potentially violating GDPR and other data protection regulations. Attackers gaining admin privileges can manipulate or delete data, disrupt business operations, or use the compromised site as a launchpad for further attacks within the organization's network. The reputational damage and regulatory penalties resulting from data breaches could be substantial. Additionally, since the vulnerability requires only subscriber-level access, it lowers the barrier for exploitation, increasing the risk of insider threats or compromised low-privilege accounts being leveraged for full site takeover. This threat is particularly critical for small to medium-sized enterprises (SMEs) that may lack robust cybersecurity defenses and incident response capabilities.

Immediate mitigation steps include restricting user registration and limiting subscriber-level access until a patch is available. Organizations should audit existing user accounts for suspicious or unauthorized admin accounts and remove them promptly. Implementing a Web Application Firewall (WAF) with custom rules to detect and block suspicious user creation requests can provide temporary protection. Monitoring logs for unusual account creation activities is essential. Administrators should enforce strong authentication mechanisms, including multi-factor authentication (MFA) for all admin accounts, to reduce the risk of account compromise. It is also advisable to isolate WordPress instances running the WPGYM plugin from critical internal networks to limit lateral movement in case of compromise. Once the vendor releases a patch, immediate application is critical. In the interim, organizations should consider alternative gym management solutions or disable the plugin if feasible. Regular backups and tested recovery procedures will help mitigate the impact of any successful exploitation.