The Gem theme for WordPress has a missing authorization flaw that permits users lacking sufficient privileges to manipulate theme settings and perform administrative actions. This vulnerability falls under CWE‑862, indicating that role‑based access checks are not properly enforced. An attacker who can reach the theme configuration interface could alter front‑end presentation, inject malicious content, or otherwise compromise the site’s integrity.

The issue affects all installations of CodexThemes TheGem theme version 5.10.5 and earlier. Any WordPress deployment that has not upgraded beyond that release is considered vulnerable, regardless of site configuration or user roles that may have been set. Site owners using older theme versions should verify their current theme build before assessing risk.

The CVSS score of 5.4 places this vulnerability in the medium severity range, while the EPSS score of less than 1% indicates a low probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote web request to the theme settings page, where the missing authorization check originates; this can be triggered by an unauthenticated or low‑privileged user if the interface is exposed. Because the flaw is confined to configuration management, it generally does not allow arbitrary code execution but can lead to unauthorized content changes and defacement.