CVE-2025-60097

Vulnerability

CVE-2025-60097 is a missing authorization vulnerability in the WordPress TheGem theme, affecting versions through 5.10.5. The issue stems from the theme's failure to properly enforce access controls, allowing exploitation of incorrectly configured security levels [1]. This type of broken access control can be triggered without authentication, as the theme may not validate user privileges for certain actions.

Exploitation

Attackers can exploit this vulnerability without requiring elevated privileges, as the missing authorization checks allow unauthenticated users to perform actions intended for higher-privileged roles. The vulnerability is accessible via network requests, and no special prerequisites are needed beyond targeting a website running the vulnerable theme [1]. The theme's failure to implement proper nonce tokens or capability checks exacerbates the risk.

Impact

Successful exploitation could enable an attacker to execute actions that should be restricted to administrators, such as modifying theme settings or accessing sensitive information. This could lead to partial loss of integrity and confidentiality, but no direct privilege escalation is guaranteed beyond the scope of the broken access control.

Mitigation

The vendor has addressed this vulnerability in a version beyond 5.10.5; users are strongly advised to update to the latest available version immediately [1]. No workarounds are documented, and the vulnerability has been exploited in mass campaigns, highlighting the urgency of patching.