Security researchers have identified two vulnerabilities in the popular WordPress plugin TheGem, which has been downloaded over 82,000 times. One of the flaws allows attackers to inject malicious code, potentially compromising the affected websites.
TheGem is a multifunctional plugin that offers themes and features for building websites. It works with widely-used WordPress builders like Elementor, WPBakery, and WooCommerce.
High-Risk Vulnerabilities Discovered
Researchers at Wordfence uncovered these vulnerabilities through their vulnerability reward program. The first flaw is due to insufficient file type checking in the function. This allows attackers to upload arbitrary files and execute malicious code, potentially taking control of the site. To exploit this vulnerability, attackers only need “subscriber” level access (CVE-2025-4317, CVSS 8.8, high risk).
The second issue arises from inadequate checks in the function, which enables attackers with “subscriber” or higher permissions to modify arbitrary theme settings (CVE-2025-4339, CVSS 4.3, medium risk).
Both vulnerabilities affect TheGem versions 5.10.3 and above, but the issue has been fixed in the latest update, version 5.10.3.1. WordPress administrators are strongly advised to apply this update as soon as possible.
Ongoing Security Concerns with WordPress Plugins
This discovery comes amid ongoing security concerns with other WordPress plugins, such as the SureTriggers plugin, which has also been targeted by cybercriminals. Security researchers continue to monitor and raise awareness about vulnerabilities in WordPress plugins.
Immediate Action Required
Website administrators using TheGem are urged to update their plugins immediately to safeguard against potential security breaches.
Related Topics
- BlogVault for WordPress: Restoring Backups Without Losing New Posts
- How to Secure Your WordPress Site from AI-Powered Malicious Plugins
- Survey: 90% of Businesses Satisfied After Leaving WordPress
