CVE-2025-54026 HIGH

CVE-2025-54026: WordPress GymBase Theme Classes plugin <= 1.4 - SQL Injection Vulnerability

Vendor Quanticalabs
Product GymBase Theme Classes
Weakness CWE-89 · SQLi
Published July 16, 2025
Last update May 13, 2026

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

What the vulnerability does

01Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in QuanticaLabs GymBase Theme Classes gymbase_classes allows SQL Injection.This issue affects GymBase Theme Classes: from n/a through <= 1.4.

Explanation of Vulnerability in Simple Terms

02Summary

GymBase Theme Classes versions 1.4 and earlier contain a SQL injection vulnerability accessible to authenticated users. An attacker with low-level account access can craft malicious input to execute arbitrary SQL queries, potentially reading sensitive data from the database or disrupting site availability. The vulnerability affects multiple components due to scope change.

What an attacker can do

03Attacker Capabilities

Read sensitive database records and disrupt site availability by injecting SQL commands.

Potential impact on your site

04Site Impact

Unauthorized access to database contents and potential service disruption if the site runs GymBase Theme Classes 1.4 or earlier.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site; no user interaction required.

Key dates

06Disclosure timeline

July 16, 2025 CVE published
May 13, 2026 Record updated