CVE-2025-32549: 
WordPress vulnerability analysis and mitigation

A Local File Inclusion vulnerability (CVE-2025-32549) was discovered in mojoomla WPGYM plugin versions up to 65.0. The vulnerability was publicly disclosed on June 12, 2025, and affects WordPress installations running the WPGYM plugin. The vulnerability received a CVSS v3.1 base score of 7.5 (HIGH) and requires Subscriber-level privileges or higher to exploit (Wiz, Patchstack).

The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). It has a CVSS vector string of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, high attack complexity, low privileges required, no user interaction needed, and high potential impact on confidentiality, integrity, and availability (NVD, Wiz).

This vulnerability could enable malicious actors to include local files of the target website and display their contents. Particularly sensitive files containing credentials, such as database configuration files, could be exposed, potentially leading to complete database compromise depending on the server configuration (Patchstack).

As of the disclosure date, no official fix is available for this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to implement the virtual patch immediately or consider disabling the plugin until a security update is released (Patchstack).