82,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in TheGem WordPress Theme

📢 In case you missed it, Wordfence just published its annual WordPress security report for 2024. Read it now to learn more about the evolving risk landscape of WordPress so you can keep your sites protected in 2025 and beyond.  

On May 4th, 2025, we received a submission for an Arbitrary File Upload vulnerability in TheGem, a WordPress theme with more than 82,000 sales. This vulnerability can be used by authenticated attackers, with subscriber-level access and above, to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover.

Props to Foxyyy who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $1,405.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to the multi-layered approach to security.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 5, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on June 4, 2025.

We contacted the CodexThemes team on May 5, 2025, and received a response on the same day. After providing full disclosure details, the developer released a patch on May 7, 2025. We would like to commend the CodexThemes team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of TheGem, version 5.10.3.1 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

TheGem <= 5.10.3 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Theme Options Update

4.3

CVSS Rating
Medium (4.3)

CVE-ID
CVE-2025-4339

Affected Versions
<= 5.10.3

Patched Version
5.10.3.1

Affected Software

TheGem

Affected Software Slug

thegem

Researcher

Foxyyy

The TheGem theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxApi() function in all versions up to, and including, 5.10.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary theme options.

More Details >

TheGem <= 5.10.3 – Authenticated (Subscriber+) Arbitrary File Upload

8.8

CVSS Rating
High (8.8)

CVE-ID
CVE-2025-4317

Affected Versions
<= 5.10.3

Patched Version
5.10.3.1

Bounty
$1,405.00

Affected Software

TheGem

Affected Software Slug

thegem

Researcher

Foxyyy

The TheGem theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the thegem_get_logo_url() function in all versions up to, and including, 5.10.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible.

More Details >

Technical Analysis

TheGem is a popular multipurpose WordPress theme on the ThemeForest marketplace, which is compatible with both Elementor and WPBakery Page Builder, and also compatible with WooCommerce.

Examining the code reveals that the theme uses the ajaxApi() function in the ThegemThemeOptions class to manage the theme options, including updating them via the save action.

function ajaxApi() {

    check_ajax_referer( 'thegem_theme_options_api', 'security' );

    $request = json_decode(file_get_contents('php://input'), true);

    switch($request['to_action']) {
        case 'save':
            $response = $this->apiSave($request);

Although this function is protected with a nonce check, the nonce can unfortunately be obtained by authenticated attackers with access to the admin dashboard. Additionally, there was no capability check in the vulnerable version. This makes it possible for authenticated attackers with subscriber-level permission to invoke the AJAX action and update the theme options.

Among the many theme options, there is a setting for the logo URL. This makes it possible for the attacker to set the logo URL, which can be a remote URL pointing to the attacker’s website by exploiting CVE-2025-4317.

When fetching the logo URL to display the logo on the website, the theme uses the thegem_get_logo_url() function, which contains the following code snippet:

if(!$local_file) {
    require_once(ABSPATH . 'wp-admin/includes/file.php');
    $temp_file = download_url($url);
    if(is_wp_error($temp_file)) {
        return $logo_url;
    }
}
$temp_logo_filepath = $upload_logos_dir.'/temp_logo_file.'.$extention;
$move_new_file = @copy($temp_file, $temp_logo_filepath);

Unfortunately, the function does not include any file type or extension checks in the vulnerable version. This means that if the logo URL points to a remote file of any type, not only image files, but also files with a .php extension, then the specified file is downloaded to the server. The downloaded file is copied to the WordPress uploads folder, which is publicly accessible by default. This makes it possible for attackers, with authenticated access such as subscribers, to combine the two vulnerabilities to upload arbitrary malicious PHP code and then access the file to trigger remote code execution on the server.

As with all arbitrary file upload vulnerabilities, this can lead to complete site compromise through the use of webshells and other techniques.

Wordfence Firewall

The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.

The Wordfence firewall rule detects the malicious AJAX action and blocks the request if it does not come from an existing authorized administrator.

The firewall also blocks access to the temp file:

Please note this protection only works if the “Disable Code Execution for Uploads directory” option is enabled in the Wordfence Global Options page. We strongly recommend all Wordfence users enable this option.

Disclosure Timeline

May 4, 2025 – We received the submission for the Arbitrary File Upload vulnerability in TheGem via the Wordfence Bug Bounty Program.
May 5, 2025 – We validated the report and confirmed the proof-of-concept exploit.
May 5, 2025 – Wordfence Premium, Care, and Response users received a firewall rule to provide protection against any exploits that may target this vulnerability.
May 5, 2025 – We sent over the full disclosure details to the vendor. The vendor acknowledged the report and began working on a fix.
May 7, 2025 – The fully patched version of the theme, 5.10.3.1, was released.
June 4, 2025 – Wordfence Free users will receive the same protection.

Conclusion

In this blog post, we detailed an Arbitrary File Upload vulnerability within the TheGem theme affecting versions 5.10.3 and earlier. This vulnerability allows authenticated threat actors with subscriber-level permissions or higher to execute malicious code on the server. The vulnerability has been fully addressed in version 5.10.3.1 of the theme.

We encourage WordPress users to verify that their sites are updated to the latest patched version of TheGem as soon as possible considering the critical nature of this vulnerability.

Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on May 5, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on June 4, 2025.

If you know someone who uses this theme on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

The post 82,000 WordPress Sites Affected by Arbitrary File Upload Vulnerability in TheGem WordPress Theme appeared first on Wordfence.