WordPress plug-in TheGem: security leak puts 82,000 websites at risk
There are security gaps in the WordPress plug-in TheGem. One of them allows malicious code to be injected and the instance to be taken over.
(Image: David MG / Shutterstock.com)
IT researchers have discovered two vulnerabilities in the WordPress plug-in TheGem, which has been sold more than 82,000 times and is therefore active on a similar number of WordPress instances. One can allow attackers to inject and execute malicious code. An updated version is available that closes the vulnerabilities.
TheGem is a multifunctional plug-in that provides themes as well as directly usable functions for self-created websites. It is compatible with the popular WordPress website builders Elementor, WPBakery and WooCommerce.
High-risk security leak in TheGem
The IT security researchers at Wordfence have been notified of two security vulnerabilities via their bug bounty program. Due to a missing file type check in the thegem_get_logo_url() function, attackers can upload arbitrary files, which enables the execution of injected malicious code and ultimately the complete compromise of the instance. The attackers require at least “subscriber” level access rights (CVE-2025-4317, CVSS 8.8, risk “high”).
The second vulnerability allows data to be modified as the ajaxApi() function performs insufficient checks. This allows attackers with “subscriber” level access or higher rights to update arbitrary options of the theme (CVE-2025-4339, CVSS 4.3, risk “medium”).
Videos by heise
TheGem versions up to and including 5.10.3 are affected, but the vulnerabilities are patched by the update to version 5.10.3.1. WordPress admins should apply the update quickly.
In mid-April, attackers abused a vulnerability in the SureTriggers WordPress plugin that had become known shortly beforehand. Vulnerabilities in WordPress plug-ins are very popular with cyber criminals.
(dmk)
