![[The AI Show Episode 147]: OpenAI Abandons For-Profit Plan, AI College Cheating Epidemic, Apple Says AI Will Replace Search Engines & HubSpot’s AI-First Scorecard](https://www.marketingaiinstitute.com/hubfs/ep%20147%20cover.png)
.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
.jpeg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
![Apple Working on Brain-Controlled iPhone With Synchron [Report]](https://www.iclarified.com/images/news/97312/97312/97312-640.jpg)
82,000+ WordPress Sites Exposed to Remote Code Execution Attacks
Critical vulnerabilities were identified in TheGem, a premium WordPress theme with more than 82,000 installations worldwide. Researchers identified two separate but interconnected vulnerabilities in TheGem theme versions 5.10.3 and earlier. When combined, these vulnerabilities create a dangerous attack vector that could lead to remote code execution and complete site compromise. “The downloaded file is copied […] The post 82,000+ WordPress Sites Exposed to Remote Code Execution Attacks appeared first on Cyber Security News.
Critical vulnerabilities were identified in TheGem, a premium WordPress theme with more than 82,000 installations worldwide.
Researchers identified two separate but interconnected vulnerabilities in TheGem theme versions 5.10.3 and earlier.
When combined, these vulnerabilities create a dangerous attack vector that could lead to remote code execution and complete site compromise.
“The downloaded file is copied to the WordPress uploads folder, which is publicly accessible by default… attackers can combine the two vulnerabilities to upload arbitrary malicious PHP code and then access the file to trigger remote code execution,” warns the Wordfence report.
Critical File Upload Vulnerability (CVE-2025-4317)
The first vulnerability, assigned a high-severity CVSS score of 8.8, involves arbitrary file uploads due to missing file type validation in the thegem_get_logo_url() function.
This vulnerability allows authenticated attackers with subscriber-level access to upload potentially malicious files to affected servers.
The vulnerable code in question fails to validate file types:
This code snippet from TheGem theme blindly downloads files without verification, creating an entry point for attackers to upload malicious PHP files.
Theme Options Modification Vulnerability (CVE-2025-4339)
The second vulnerability, rated medium severity with a CVSS score of 4.3, stems from insufficient authorization checks in the theme’s ajaxApi() function. Though protected by a nonce check, this function lacks proper capability validation:
This vulnerability allows authenticated users with subscriber-level permissions to modify theme settings, including setting the logo URL to point to malicious content.
Security experts have outlined a potential attack chain that exploits both vulnerabilities:
- Attackers with subscriber-level access exploit CVE-2025-4339 to modify the theme’s logo URL setting to point to a malicious PHP file.
- When the website attempts to load the logo, the thegem_get_logo_url() function downloads and stores the malicious file without validation.
- Attackers then access the uploaded file to execute arbitrary code and potentially take full control of the website.
Immediate Action Required
The vulnerabilities were responsibly disclosed to CodexThemes, who promptly released a patched version (5.10.3.1) on May 7, 2025.
“We urge users to update their sites with the latest patched version of TheGem, version 5.10.3.1 at the time of this writing, as soon as possible,” advised the Wordfence security team.
Wordfence Premium users have received firewall protection against these exploits since May 5, while free users will receive protection on June 4, 2025. Website administrators using TheGem theme should immediately:
- Update to version 5.10.3.1 or later.
- Consider implementing a web application firewall.
- Review site user roles and permissions.
- Monitor for suspicious activity in server logs.
As WordPress powers approximately 43% of all websites globally, vulnerabilities in popular themes like TheGem represent significant security risks with potential widespread impact.
This incident serves as a stark reminder of the importance of regular software updates, vigilant user permission management, and the implementation of robust security measures such as web application firewalls.
Arm your business against phishing & suspicious artifacts with top threat intelligence, test TI Lookup with 50 trial requests
The post 82,000+ WordPress Sites Exposed to Remote Code Execution Attacks appeared first on Cyber Security News.
