
CVE-2025-4317 – TheGem <= 5.10.3 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2025-4317
12 May 2025 — The TheGem theme for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the thegem_get_logo_url() function in all versions up to, and including, 5.10.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. El tema TheGem para WordPress es vulnerable a la carga de archivos arbitrarios debido a la falta de validación del tipo de arc... • https://codex-themes.com/thegem/changelog.html • CWE-434: Unrestricted Upload of File with Dangerous Type •

CVE-2025-4339 – TheGem <= 5.10.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Theme Options Update
https://notcve.org/view.php?id=CVE-2025-4339
12 May 2025 — The TheGem theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajaxApi() function in all versions up to, and including, 5.10.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary theme options. El tema TheGem para WordPress es vulnerable a la modificación no autorizada de datos debido a la falta de una comprobación de capacidad en la función ajaxApi() en todas las versiones hasta la 5.10.... • https://codex-themes.com/thegem/changelog.html • CWE-862: Missing Authorization •

CVE-2023-50892 – WordPress TheGem Theme <= 5.9.1 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-50892
26 Dec 2023 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem - Creative Multi-Purpose & WooCommerce WordPress Theme allows Reflected XSS.This issue affects TheGem - Creative Multi-Purpose & WooCommerce WordPress Theme: from n/a through 5.9.1. La neutralización incorrecta de la entrada durante la generación de páginas web ('Cross-site Scripting') en CodexThemes TheGem - Creative Multi-Purpose & WooCommerce WordPress Theme permite XSS reflejado. ... • https://patchstack.com/database/vulnerability/thegem/wordpress-thegem-theme-5-9-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2023-32237 – Auth. Stored Cross-Site Scripting (XSS) vulnerability in TheGem theme by CodexThemes
https://notcve.org/view.php?id=CVE-2023-32237
05 May 2023 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem (Elementor), CodexThemes TheGem (WPBakery) allows Stored XSS.This issue affects TheGem (Elementor): from n/a before 5.8.1.1; TheGem (WPBakery): from n/a before 5.8.1.1. Vulnerabilidad de neutralización inadecuada de la entrada durante la generación de páginas web ('Cross-site Scripting') en CodexThemes TheGem (Elementor), CodexThemes TheGem (WPBakery) permite almacenar XSS. Este problema ... • https://patchstack.com/database/vulnerability/thegem-elementor/wordpress-thegem-elementor-theme-5-7-2-auth-stored-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVE-2023-32238 – TheGem < 5.8.1.1 - Improper Authentication
https://notcve.org/view.php?id=CVE-2023-32238
05 May 2023 — The TheGem theme for WordPress is vulnerable to improper authentication in versions up to 5.8.1.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to perform an unknown action. • CWE-287: Improper Authentication •