Wordpress News

Hackers Attack 82,000+ WordPress Sites via This Popular Theme – Is Yours at Risk?

Posted on by Md. Salim Shaikh
Cyber attack on Popular WP Theme 82,000+ WordPress Sites at Risk
14
May

A critical security alert has been issued for users of TheGem, a premium WordPress theme installed on over 82,000 websites worldwide. If you’re using this theme, you could be vulnerable to a full-site takeover.

🔥 Two newly discovered vulnerabilities in TheGem (version 5.10.3 and earlier) open the door for remote code execution (RCE)—meaning hackers could run malicious code on your site and take full control.

🛑 How the Hack Works (In Simple Terms)

Security researchers found two separate flaws that, when used together, become a hacker’s dream toolkit.

“Attackers can upload malicious PHP files and execute them remotely through a publicly accessible folder,” warns Wordfence in their security bulletin.

Vulnerability 1: File Upload Flaw (CVE-2025-4317)

  • Severity: High (CVSS 8.8)
  • 💥 What it does: Allows subscribers to upload any file, including dangerous PHP scripts.
  • 🔍 The issue: The theme fails to properly validate file types when handling logo uploads via thegem_get_logo_url().
Code snippet illustrating the file upload vulnerability in TheGem theme

Vulnerability 2: Theme Option Exploit (CVE-2025-4339)

  • Severity: Medium (CVSS 4.3)
  • 🧠 What it does: Lets users with even the lowest permissions (like subscribers) change theme settings.
  • ⚠️ The catch: The ajaxApi() function lacks proper permission checks.
Diagram showing how attackers can modify theme options via the ajaxApi function

🧩 When Combined: Full Site Compromise

Hackers don’t even need admin access. Here’s how the attack chain works:

  1. Subscriber-level user changes the logo URL to a malicious file (using CVE-2025-4339).
  2. When the site loads the logo, the theme downloads that malicious file with no checks (via CVE-2025-4317).
  3. Hacker then visits the uploaded file’s URL and executes remote code on the server.
How attackers chain two exploits to take control of WordPress sites.

🚀 What You Should Do Immediately

CodexThemes responded quickly and released a patched version, 5.10.3.1, on May 7, 2025.

Update Immediately:

Go to your WordPress dashboard and update TheGem theme to version 5.10.3.1 or later.

🛡️ Additional Actions to Protect Your Site:

  • Install a Web Application Firewall (WAF).
  • Limit subscriber permissions—no one should have more access than needed.
  • Check your server logs for suspicious uploads.
  • Enable auto-updates for themes and plugins going forward.

🖼️ Image Suggestion:

Admin panel showing WordPress theme update screen.
Keeping themes updated is your first line of defense.

🧠 Why This Matters

WordPress powers over 43% of the internet. A single vulnerability in a popular theme like TheGem can put tens of thousands of websites—and user data—at serious risk.

Let this be your reminder:
💡 Update regularly, audit permissions, and never skip security plugins.

Md. Salim Shaikh

As a passionate WordPress developer with 14+ years of experience, I've successfully completed over 500 projects, specializing in WooCommerce, Core development, A2Z Customize Solutions, and solving complex challenges. Since 2011, I’ve been helping clients optimize, customize, and elevate their WordPress sites for seamless performance and functionality. Dedicated to excellence, I ensure WordPress works flawlessly for you!

Leave a Reply

Your email address will not be published. Required fields are marked *