CVE-2024-9941: 
WordPress vulnerability analysis and mitigation

The WPGYM - Wordpress Gym Management System plugin for WordPress (CVE-2024-9941) contains a privilege escalation vulnerability affecting all versions up to and including 67.1.0. The vulnerability was discovered and disclosed on November 23, 2024 (NVD, Wordfence).

The vulnerability stems from a missing capability check in the MJ_gmgt_add_staff_member() function. This security flaw allows authenticated attackers with subscriber-level access or higher to create new user accounts with administrator privileges. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows authenticated attackers to escalate their privileges by creating administrator accounts, potentially leading to complete compromise of the WordPress installation. This could result in unauthorized access to sensitive data, modification of site content, and installation of malicious plugins or themes (NVD).

The vulnerability has been patched in version 67.2.0 of the WPGYM plugin. Site administrators are strongly advised to update to this version or later to protect against potential exploitation (NVD, CodeCanyon).