Two serious security vulnerabilities have been discovered in TheGem, a premium WordPress theme used by more than 82,000 websites worldwide. Researchers warn that when exploited together, these flaws can lead to remote code execution (RCE), potentially giving attackers full control over affected websites.
Security researchers at Wordfence identified the vulnerabilities in versions 5.10.3 and earlier of the TheGem theme. While each flaw poses a risk on its own, their combined use creates a dangerous attack chain.
According to Wordfence, the downloaded file is copied to the WordPress uploads folder, which is publicly accessible by default. Bad actors could combine the two vulnerabilities to upload arbitrary malicious PHP code and then access the file to trigger remote code execution.
Enabling Low-Level Access
The first flaw, tracked as CVE-2025-4317, has been given a high-severity CVSS score of 8.8. This vulnerability arises from the failure to validate file types within the thegem_get_logo_url() function.
As a result, authenticated users with even the lowest level of access (subscriber permissions) can upload arbitrary files, including malicious PHP scripts, to the WordPress server. Researchers noted that the vulnerable function blindly downloads files without checking their type, offering a direct path for attackers to plant harmful code.
The second vulnerability, CVE-2025-4339, is rated medium severity with a CVSS score of 4.3. It stems from insufficient authorization checks in the theme’s ajaxApi() function.
Although the function includes a nonce verification, it lacks proper capability checks, meaning it does not restrict access based on user roles. This allows attackers with subscriber-level access to modify key theme settings, such as the logo URL, and point it to malicious files.
Full Site Compromise
When exploited in tandem, these flaws open the door to a full site compromise. A malefactor could first use CVE-2025-4339 to change the logo URL to a remote PHP file. TheGem’s thegem_get_logo_url() function would then automatically download this file to the site’s uploads directory, without any validation.
Once stored, the attacker could simply visit the URL of the uploaded file, triggering remote code execution and potentially taking full control of the site.
The vulnerabilities were responsibly disclosed to the theme’s developer, CodexThemes, who released a patched version, 5.10.3.1, on 7 May.
Patch Immediately
In its advisory, Wordfence urged all users of TheGem to apply the patch immediately to prevent exploitation. The Wordfence firewall began blocking attempts to exploit these vulnerabilities for Premium users as of 5 May, with free users set to receive the same protection on 4 June.
Website admins using TheGem are advised to urgently update to version 5.10.3.1 or later. Also, experts recommend reviewing user roles and permissions, monitoring server logs for suspicious activity, and deploying a web application firewall to add an extra layer of protection.
An All-Too-Familiar Pattern
“TheGem’s dual vulnerabilities represent a concerning but all-too-familiar pattern in WordPress ecosystem security,” says Javvad Malik, Lead Security Awareness Advocate at KnowBe4. “What’s particularly troubling is the implementation failure at both security checkpoints – proper file validation and robust permission controls are fundamental security principles, not optional extras. With 82,000 installations affected, the potential impact is substantial and demands immediate attention.”
Malik says site administrators should prioritize updating to version 5.10.3.1 without delay, review user permission structures, and consider implementing additional security layers such as a web application firewall. This incident serves as a timely reminder that security must be baked into development processes rather than treated as an afterthought.
“The security community has long advocated for defense-in-depth approaches precisely because of vulnerabilities like these. As we continue to see similar issues emerge, perhaps it’s time for more rigorous security standards across the WordPress theme marketplace,” he adds.
Beleaguered By Security Problems
“Unfortunately, these vulnerabilities won’t come as a surprise to anyone who’s followed WordPress’s security problems over the past couple of years,” comments Jamie Akhtar, CEO and Co-founder at CyberSmart.
Due to the nature of the platform and its use of third-party plugins, Akhtar says vulnerabilities are unfortunately very common and difficult for WordPress to tackle. “Just last year, we saw millions of WordPress websites at risk when five of the most popular plugins were compromised when hackers injected malicious code into them.”
Akhtar says this incident is slightly different, in that it concerns one of WordPress’s themes and not a third-party plugin, but it’s sadly the latest instalment in the platform’s long battle against such vulnerabilities.
“The good news is that WordPress has acted quickly, making it a very simple fix for worried customers. If you use WordPress’s Gem theme, download the latest update (which contains a patch for the vulnerability) as a matter of priority. It’s also worth monitoring your website for the next few weeks for any unusual activity.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.