CVE-2025-7442: 
WordPress vulnerability analysis and mitigation

The WPGYM - Wordpress Gym Management System plugin for WordPress (versions up to 67.8.0) contains a SQL Injection vulnerability identified as CVE-2025-7442. The vulnerability was discovered and reported by Wordfence on July 11, 2025. This security flaw affects multiple functions including MJgmgtdeleteclasslimitformember, MJgmgtgetyearlyincomeexpense, MJgmgtgetmonthlyincomeexpense, MJgmgtaddclasslimit, MJgmgtviewmeetingdetail, and MJgmgtcreate_meeting (NVD).

The vulnerability is classified as SQL Injection (CWE-89) with a CVSS v3.1 Base Score of 7.5 (HIGH). The attack vector is characterized by CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating that it can be exploited remotely with low attack complexity, requires no privileges or user interaction, and primarily impacts confidentiality (NVD).

The vulnerability allows unauthenticated attackers to append additional SQL queries to existing queries, potentially enabling the extraction of sensitive information from the database. The high CVSS score of 7.5 indicates significant potential impact on system confidentiality (NVD).

Users of the WPGYM - Wordpress Gym Management System plugin should upgrade to a version newer than 67.8.0 if available. Until an update is possible, it is recommended to implement additional security measures such as Web Application Firewalls (WAF) to help prevent SQL injection attacks (Wordfence).