The vulnerability identified as CVE-2025-6080 affects all versions of the dasinfomedia WPGYM - WordPress Gym Management System plugin up to and including version 67.7.0. The root cause is improper privilege management (CWE-269), where the plugin does not adequately validate a user's capabilities before permitting the creation of new user accounts. Specifically, authenticated users with Subscriber-level access or higher can exploit this flaw to create new users, including those with administrative privileges. This bypasses normal WordPress role-based access controls, enabling privilege escalation. The vulnerability has a CVSS 3.1 base score of 8.8, reflecting its high impact on confidentiality, integrity, and availability, as well as its low attack complexity and lack of required user interaction. The flaw allows attackers to gain full control over the affected WordPress site, potentially leading to data theft, site defacement, or further malware deployment. Although no known exploits are currently in the wild, the vulnerability's nature and ease of exploitation make it a significant threat. The vulnerability was publicly disclosed on August 16, 2025, with no official patches yet available, increasing the urgency for mitigation measures.

The impact of CVE-2025-6080 is severe for organizations using the WPGYM plugin on WordPress sites. Successful exploitation grants attackers administrative privileges, enabling complete control over the website. This can lead to unauthorized data access, modification, or deletion, including sensitive customer and business data. Attackers could also install backdoors, deface websites, or use the compromised site as a launchpad for further attacks within the organization's network. The availability of the site could be disrupted through malicious actions by the attacker. Given the popularity of WordPress and the niche use of WPGYM in gym and fitness businesses, the threat could affect a wide range of organizations, from small gyms to large fitness chains, potentially damaging reputation and causing financial loss. The lack of required user interaction and low complexity of exploitation increase the risk of widespread abuse once exploit code becomes available.

Until an official patch is released, organizations should implement several specific mitigations: 1) Restrict user registrations and roles strictly, ensuring that only trusted users have Subscriber-level or higher access. 2) Employ WordPress security plugins that monitor and alert on new user creation, especially for admin accounts. 3) Disable or limit the WPGYM plugin's user management features if possible, or temporarily deactivate the plugin if it is not critical. 4) Implement web application firewall (WAF) rules to detect and block suspicious requests related to user creation endpoints in WPGYM. 5) Conduct regular audits of user accounts to identify and remove unauthorized users promptly. 6) Monitor logs for unusual activity patterns indicative of exploitation attempts. 7) Prepare to apply patches immediately once they are released by dasinfomedia. 8) Educate site administrators about the vulnerability and the importance of least privilege principles.