cbcvebase.
CVE-2025-4317
published 2025-05-13

CVE-2025-4317: The TheGem theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the thegem_get_logo_url() function in all…

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.05%
60.1th percentile
The TheGem theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the thegem_get_logo_url() function in all versions up to, and including, 5.10.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affected

6 ranges
VendorProductVersion rangeFixed in
codexthemesthegem<= 5.10.3
linuxlinux_kernel>= 6.13.0 < 6.18.36.18.3
linuxlinux_kernel>= 6.8.0 < 6.12.646.12.64
msrcazl3_postgresql_16.1-1_on_azure_linux_3.0
msrcazl3_postgresql_16.3-1_on_azure_linux_3.0
msrccbl2_postgresql_14.11-1_on_cbl_mariner_2.0

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_redhat5.5LOW
vendor_msrc4.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.