CVE-2025-54026

2025-07-16 [email protected]
WordPress PHP SQLi

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 17:43 vuln.today
CVE Published
Jul 16, 2025 - 11:15 nvd
N/A

DescriptionNVD

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in QuanticaLabs GymBase Theme Classes gymbase_classes allows SQL Injection.This issue affects GymBase Theme Classes: from n/a through <= 1.4.

AnalysisAI

SQL injection in QuanticaLabs GymBase Theme Classes WordPress plugin versions up to 1.4 enables unauthenticated remote attackers to execute arbitrary SQL queries against the underlying database. The vulnerability exists in the gymbase_classes component and carries an EPSS score of 0.05% (16th percentile), indicating very low exploitation probability despite the critical nature of SQL injection flaws. No public exploit code or active exploitation has been identified at the time of analysis.

Technical ContextAI

This vulnerability stems from improper neutralization of special characters in SQL commands (CWE-89), a classic injection flaw where user-supplied input is directly concatenated into SQL queries without parameterized statements or proper escaping. The affected product is the GymBase Theme Classes plugin for WordPress, which likely processes user input through theme or class configuration functions without adequate input validation or prepared statements. WordPress plugins are particularly susceptible to such flaws when they interact with the wpdb database object without using placeholders ($wpdb->prepare()) or other parameterized query mechanisms.

Affected ProductsAI

QuanticaLabs GymBase Theme Classes WordPress plugin from version 1.0 through 1.4 is affected by this SQL injection vulnerability. The plugin is identified by the cpename wordpress/plugin/gymbase_classes and is available through WordPress plugin repositories. Affected users should identify their installed version and determine if they are running 1.4 or earlier.

RemediationAI

Update the GymBase Theme Classes plugin to the latest available version immediately. If an updated version beyond 1.4 has been released, apply it directly through the WordPress plugin manager. Users unable to update should disable the plugin until a patched version is available. Refer to the Patchstack vulnerability database entry (https://patchstack.com/database/Wordpress/Plugin/gymbase_classes/vulnerability/wordpress-gymbase-theme-classes-plugin-1-4-sql-injection-vulnerability?_s_id=cve) for vendor advisory details and confirmation of patched versions. Additionally, consider implementing Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting WordPress plugins if immediate patching is not feasible.

Share

CVE-2025-54026 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy