Description
The TheGem theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the thegem_get_logo_url() function in all versions up to, and including, 5.10.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2025-05-13
Score: 8.8 High
EPSS: 1.2% Low
KEV: No
Impact: Remote Code Execution
Action: Patch immediately
AI Analysis

Impact

TheGem WordPress theme has a missing file type validation in the thegem_get_logo_url() function that allows an authenticated user with Subscriber-level access or higher to upload any file to the server. This flaw can be used to place malicious scripts or binaries on the website, potentially enabling remote code execution and full compromise of the site. The core weakness is a file upload validation failure, mapped to CWE-434.

Affected Systems

WordPress sites that use CodexThemes TheGem theme version 5.10.3 or earlier are vulnerable. All installations of these theme releases remain at risk until upgraded or mitigated.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of 1% suggests a low-but-not-zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers must first authenticate as a Subscriber or higher, which limits the attack surface but does not eliminate it. Successful exploitation could result in the execution of arbitrary code on the web server and full control of the WordPress installation.

Generated by OpenCVE AI on April 21, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade TheGem theme to version 5.10.4 or later, which removes the vulnerable function.
  • If upgrading immediately is not possible, limit or disable the logo upload functionality by removing the relevant shortcode or consulting the theme developer for a temporary patch.
  • After applying a mitigation or patch, verify that no unauthorized files exist in the theme’s upload directory and monitor the site for any unusual activity.

Generated by OpenCVE AI on April 21, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-14370 The TheGem theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the thegem_get_logo_url() function in all versions up to, and including, 5.10.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
History

Tue, 13 May 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 13 May 2025 07:00:00 +0000

Type Values Removed Values Added
Description The TheGem theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the thegem_get_logo_url() function in all versions up to, and including, 5.10.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Title TheGem <= 5.10.3 - Authenticated (Subscriber+) Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:25:37.340Z

Reserved: 2025-05-05T13:58:46.175Z

Link: CVE-2025-4317

cve-icon Vulnrichment

Updated: 2025-05-13T13:18:43.775Z

cve-icon NVD

Status : Deferred

Published: 2025-05-13T07:15:52.327

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-4317

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T21:00:36Z

Weaknesses