CVE-2025-3671
Published: 16 August 2025
Summary
CVE-2025-3671 is a high-severity Path Traversal (CWE-22) vulnerability in Codecanyon (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates LFI by requiring validation and sanitization of user inputs like the unsanitized 'page' parameter to block path traversal attacks.
Ensures timely identification, reporting, and patching of the specific LFI flaw in the WPGYM plugin, eliminating the vulnerability.
Limits exploitation impact by enforcing least privilege, restricting Subscriber-level access to the vulnerable plugin endpoints and chained privilege escalation paths.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI enables direct exploitation of public-facing WordPress plugin (T1190), arbitrary code execution via uploaded web shells (T1505.003), and chained privilege escalation to Super Admin (T1068).
NVD Description
The WPGYM - Wordpress Gym Management System plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 67.7.0 via the 'page' parameter. This makes it possible for authenticated attackers, with Subscriber-level access and above,…
more
to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. The Local File Inclusion exploit can be chained to include various dashboard view files in the plugin. One in particular reported by the researcher can be leveraged to update the password of Super Administrator accounts in Multisite environments making privilege escalation possible.
Deeper analysisAI
CVE-2025-3671 is a Local File Inclusion (LFI) vulnerability, classified under CWE-22, affecting the WPGYM - WordPress Gym Management System plugin for WordPress in all versions up to and including 67.7.0. The flaw arises from inadequate sanitization of the 'page' parameter, enabling the inclusion and execution of arbitrary files on the server. With a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), it poses a high risk due to its potential for remote exploitation with low complexity and limited privileges.
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability over the network without user interaction. Successful exploitation allows inclusion and execution of arbitrary PHP code from included files, bypassing access controls, exfiltrating sensitive data, or achieving remote code execution by leveraging uploadable "safe" file types like images. The LFI can be chained with plugin dashboard view files, notably enabling privilege escalation in WordPress Multisite environments by updating Super Administrator account passwords.
Advisories and further details are available from Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/6536d19f-a042-4404-b0c9-91aacd7768f7?source=cve and the plugin's CodeCanyon page at https://codecanyon.net/item/-wpgym-wordpress-gym-management-system/13352964. No specific patch or mitigation details are outlined in the CVE description.
Details
- CWE(s)