CVE-2025-6080 is a critical vulnerability affecting the WPGYM - Wordpress Gym Management System plugin developed by dasinfomedia. This plugin is widely used to manage gym memberships and related services on WordPress websites. The vulnerability arises from improper privilege management (CWE-269), where the plugin fails to correctly validate user capabilities before allowing user creation. Specifically, authenticated users with Subscriber-level access or higher can exploit this flaw to create new user accounts, including those with administrative privileges. This bypasses the intended access control mechanisms, enabling privilege escalation without requiring higher-level credentials or user interaction. The vulnerability affects all versions up to and including 67.7.0. The CVSS v3.1 base score is 8.8, indicating a high severity with network attack vector, low attack complexity, requiring low privileges, no user interaction, and impacting confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the ease of exploitation and the potential for complete site takeover make this a significant threat. Attackers gaining admin access can manipulate site content, steal sensitive data, deploy malware, or disrupt services, severely impacting the affected organizations.

For European organizations using the WPGYM plugin, this vulnerability poses a substantial risk. Unauthorized admin account creation can lead to full site compromise, exposing customer data, including personal and payment information, which is subject to strict GDPR regulations. The breach of confidentiality and integrity can result in legal penalties, reputational damage, and financial losses. Additionally, attackers could deface websites, disrupt gym management operations, or use compromised sites as a foothold for further attacks within the organization's network. Given the plugin’s role in managing memberships and potentially payment processing, the impact on business continuity and customer trust is significant. Organizations in the fitness and wellness sector, especially those relying heavily on online membership management, are at heightened risk.

Immediate mitigation steps include updating the WPGYM plugin to a patched version once available from dasinfomedia. Until a patch is released, organizations should restrict Subscriber-level user registrations or disable new user registrations entirely if feasible. Implementing strict monitoring and alerting for new user account creations, especially those with admin privileges, can help detect exploitation attempts early. Employing Web Application Firewalls (WAFs) with custom rules to block suspicious requests targeting user creation endpoints is advisable. Additionally, conducting regular audits of user accounts to identify unauthorized admin accounts is critical. Organizations should also enforce strong authentication mechanisms, such as multi-factor authentication (MFA), for all admin accounts to reduce the risk of account misuse. Finally, isolating WordPress instances and limiting their network access can reduce the blast radius of a potential compromise.