CVE-2025-3671: 
WordPress vulnerability analysis and mitigation

The WPGYM - Wordpress Gym Management System plugin for WordPress contains a Local File Inclusion vulnerability (CVE-2025-3671) affecting all versions up to and including 67.7.0. The vulnerability was disclosed on August 16, 2025, and impacts WordPress installations using the affected plugin versions (NVD CVE).

The vulnerability exists in the 'page' parameter of the WPGYM plugin, which fails to properly restrict file path traversal. This vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD CVE).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to include and execute arbitrary files on the server. This can lead to the execution of any PHP code in those files, potentially allowing attackers to bypass access controls, obtain sensitive data, or achieve code execution when combined with uploaded files. In Multisite environments, the vulnerability can be leveraged to update Super Administrator account passwords, enabling privilege escalation (NVD CVE).

Users should immediately update to a version newer than 67.7.0 if available. Until a patch is applied, site administrators should carefully review and potentially restrict user roles and permissions, particularly in Multisite environments (NVD CVE).