PT-2025-20835 · WordPress · Thegem
Friderika Baranyai
·
Published
2025-05-13
·
Updated
2025-05-18
·
CVE-2025-4317
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
TheGem theme for WordPress versions up to, and including, 5.10.3
Description
The issue arises from missing file type validation in the
thegem get logo url() function, allowing authenticated attackers with Subscriber-level access or higher to upload arbitrary files to the site's server. This could potentially enable remote code execution.Recommendations
For versions up to, and including, 5.10.3, update to a version that includes a fix for the missing file type validation in the
thegem get logo url() function.
As a temporary workaround, consider disabling the thegem get logo url() function until a patch is available.Fix
Unrestricted File Upload
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Thegem