CVE-2025-7049
published 2025-09-10CVE-2025-7049: The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 67.7.0 via the…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.28%
20.1th percentile
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 67.7.0 via the 'MJ_gmgt_gmgt_add_user' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the email, password, and other details of any user, including Administrator users.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dasinfomedia | wpgym_wordpress_gym_management_system | <= 67.7.0 | — |
| msrc | microsoft_edge | — | — |
| msrc | microsoft_edge_for_ios | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vfh4-9wwj-77fx: The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 67
ghsa_unreviewed·2025-09-10
CVE-2025-7049 [HIGH] CWE-639 GHSA-vfh4-9wwj-77fx: The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 67
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 67.7.0 via the 'MJ_gmgt_gmgt_add_user' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the email, password, and other details of any user, including Administrator users.
Microsoft
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
vendor_msrc·2025-07-08·CVSS 7.4
CVE-2025-49741 [HIGH] CWE-268 Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
Description: No cwe for this issue in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.
FAQ: What is the version information for this release?
Microsoft Edge Version
Date Released
Based on Chromium Version
135.0.3179.98
4/25/2025
135.0.7049.114/.115
Microsoft Edge (Chromium-based): Microsoft Edge (Chromium-based)
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Information Disclosure
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely
Remediation: Release Notes
Reference: https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security
Microsoft
Microsoft Edge for iOS Spoofing Vulnerability
vendor_msrc·2025-04-08·CVSS 4.7
CVE-2025-29796 [MEDIUM] CWE-451 Microsoft Edge for iOS Spoofing Vulnerability
Microsoft Edge for iOS Spoofing Vulnerability
Description: User interface (ui) misrepresentation of critical information in Microsoft Edge for iOS allows an unauthorized attacker to perform spoofing over a network.
FAQ: According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability?
A user could be tricked into entering credentials or responding to a pop up after opening a specially crafted file or clicking on a link, typically by way of an enticement in an email or URL.
FAQ: What is the version information for this release?
Microsoft Edge Version
Date Released
Based on Chromium Version
135.0.3179.54
4/3/2025
135.0.7049.41/.42/.52
FAQ: According to the CVSS metric, user interaction is required (UI:R). What int
Microsoft
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
vendor_msrc·2025-04-08·CVSS 8.8
CVE-2025-25000 [HIGH] CWE-843 Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability
Description: Access of resource using incompatible type ('type confusion') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to execute code over a network.
FAQ: What is the version information for this release?
Microsoft Edge Version
Date Released
Based on Chromium Version
135.0.3179.54
4/3/2025
135.0.7049.41/.42/.52
FAQ: How could an attacker exploit this vulnerability via the Network?
An attacker could host a specially crafted website designed to exploit the vulnerability through Microsoft Edge and then convince a user to view the website. However, in all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a use
No detection rules found.
No writeups or analysis indexed.
2025-09-10
Published