Dasinfomedia Wpgym Wordpress Gym Management System vulnerabilities
6 known vulnerabilities affecting dasinfomedia/wpgym_wordpress_gym_management_system.
Total CVEs
6
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH5
Vulnerabilities
Page 1 of 1
CVE-2024-9942P2CRITICALCVSS 9.8≤ 67.1.02024-11-23
CVE-2024-9942 [CRITICAL] CWE-434 CVE-2024-9942: The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to arbitrary file upl
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the MJ_gmgt_user_avatar_image_upload() function in all versions up to, and including, 67.1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server whic
nvd
CVE-2025-7049P2HIGHCVSS 8.8≤ 67.7.02025-09-10
CVE-2025-7049 [HIGH] CWE-639 CVE-2025-7049: The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalati
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 67.7.0 via the 'MJ_gmgt_gmgt_add_user' function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change the email, p
nvd
CVE-2025-3671P2HIGHCVSS 8.8≤ 67.7.02025-08-16
CVE-2025-3671 [HIGH] CWE-22 CVE-2025-3671: The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to Local File Inclusi
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 67.7.0 via the 'page' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP co
nvd
CVE-2024-9941P3HIGHCVSS 8.8≤ 67.1.02024-11-23
CVE-2024-9941 [HIGH] CWE-269 CVE-2024-9941: The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalati
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to privilege escalation due to a missing capability check on the MJ_gmgt_add_staff_member() function in all versions up to, and including, 67.1.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to create new user accounts with the
nvd
CVE-2025-6080P3HIGHCVSS 8.8≤ 67.7.02025-08-16
CVE-2025-6080 [HIGH] CWE-269 CVE-2025-6080: The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to unauthorized admin
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to unauthorized admin account creation in all versions up to, and including, 67.7.0. This is due to the plugin not properly validating a user's capabilities prior to adding users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to c
nvd
CVE-2025-7442P3HIGHCVSS 7.5fixed in 67.8.02025-07-11
CVE-2025-7442 [HIGH] CWE-89 CVE-2025-7442: The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to SQL Injection via
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to SQL Injection via several parameters in the MJ_gmgt_delete_class_limit_for_member, MJ_gmgt_get_yearly_income_expense, MJ_gmgt_get_monthly_income_expense, MJ_gmgt_add_class_limit, MJ_gmgt_view_meeting_detail, and MJ_gmgt_create_meeting functions in all versions up to 67.8.0 d
nvd