CVE-2025-4339

TheGem is a premium WordPress theme that supports both WPBakery and Elementor page builders [1]. In versions up to and including 5.10.3, the theme's ajaxApi() function lacks a capability check, enabling authenticated users with Subscriber-level access or higher to modify arbitrary theme options. The vulnerability exists because the function does not verify that the user has sufficient permissions before processing AJAX requests to update theme settings.

To exploit this, an attacker needs only a valid WordPress user account with Subscriber role—the lowest non-public role. No additional privileges or special network access are required. The attacker can send a crafted authenticated AJAX request to the vulnerable endpoint, passing any theme option key-value pair to be saved.

This can allow an attacker to alter theme settings such as enabling dangerous features, changing site URLs, or modifying global styles. While the impact is limited to theme options (not arbitrary PHP code execution), unauthorized modification of these settings can lead to defacement, information disclosure, or further exploitation depending on the theme's functionality.

The vendor has released a fix; users should update TheGem to version 5.10.4 or later. No workaround is provided for unpatched versions [1].