CVE-2025-54026

CVE-2025-54026 is a SQL injection vulnerability in the GymBase Theme Classes WordPress plugin (version 1.4 and earlier). The issue stems from improper neutralization of special elements used in an SQL command within the gymbase_classes handler, allowing an attacker to inject arbitrary SQL queries.[1]

This vulnerability can be exploited without authentication, making it critical for unpatched sites. The attack surface is wide because the plugin is used on thousands of websites, and automated mass-exploit campaigns are known to target such flaws.[1] By sending specially crafted input to the vulnerable endpoint, an attacker can manipulate database queries and extract sensitive information.

Successful exploitation enables a malicious actor to directly interact with the underlying database, including reading, modifying, or deleting data. This could lead to the theft of user information, credentials, or other confidential stored data.[1] The CVSS v3 score of 8.5 reflects the high impact on confidentiality and integrity, though availability impact is not directly rated.

The vulnerability has been patched in version 1.5 of the plugin. Users are strongly advised to update immediately. For those unable to update, contacting a hosting provider or web developer for assistance is recommended. Patchstack users can enable auto-updates for vulnerable plugins to simplify remediation.[1]