A high-severity vulnerability has been identified in the WPGYM - Wordpress Gym Management System plugin for WordPress. This flaw, known as Local File Inclusion, allows an unauthenticated attacker to read sensitive files from the web server, potentially exposing confidential data such as configuration details, user credentials, and system information. Immediate patching is required to prevent potential data breaches and further system compromise.

The vulnerability is a Local File Inclusion (LFI) flaw. An attacker can exploit this by manipulating an input parameter within the plugin to specify a path to a file on the server. The application fails to properly sanitize this input, causing it to include and display the contents of the requested file. For example, an attacker could craft a request to read sensitive files like wp-config.php (containing database credentials) or system files like /etc/passwd.

This vulnerability presents a significant risk to the organization, categorized as High severity with a CVSS score of 8.8. Successful exploitation could lead to the exposure of highly sensitive information, including database credentials, API keys, and internal system configurations. This information disclosure could serve as a stepping stone for more advanced attacks, potentially leading to a full server compromise, a data breach of customer or business information, service disruption, and significant reputational damage.

Immediate Action: Immediately update the "WPGYM - Wordpress Gym Management System" plugin to the latest patched version provided by the vendor. If the plugin is no longer required for business operations, it should be deactivated and completely removed from the WordPress installation to eliminate the risk.

Proactive Monitoring: Monitor web server access logs for suspicious requests containing directory traversal patterns (e.g., ../, %2e%2e%2f) in URL parameters associated with the plugin. Implement a Web Application Firewall (WAF) to detect and block LFI attack signatures. Monitor for unusual file access attempts on the server originating from the web server's user account.

Compensating Controls: If immediate patching is not feasible, implement a WAF with strict rules to block directory traversal and LFI attempts. Harden the web server's file permissions to ensure the user account running the web service has read access only to the files and directories it explicitly needs to function, preventing it from accessing sensitive system files.

Public Exploit Available: true

Given the high CVSS score of 8.8 and the critical nature of the data at risk, it is strongly recommended that organizations prioritize the immediate remediation of this vulnerability. The ease of exploitation and the potential for complete data exposure make this a critical threat. All instances of the WPGYM plugin must be updated to the latest version without delay to protect against potential compromise.