CVE-2025-60096 - Vulnerability Details

- WordPress TheGem (Elementor) Theme <= 5.10.5 - Broken Access Control Vulnerability

Description

Missing Authorization vulnerability in CodexThemes TheGem (Elementor) thegem-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TheGem (Elementor): from n/a through <= 5.10.5.

Published: 2025-09-26

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

TheGem (Elementor) is a WordPress theme that suffers from a missing authorization check, allowing attackers to exploit incorrectly configured access control levels. This flaw falls under CWE‑862 and can result in unauthorized access to privileged functions or content that should be restricted to certain user roles. Traditional WordPress administrative pages or content editing features may become accessible to unauthenticated or low‑privilege users.

Affected Systems

The affected product is CodexThemes TheGem (Elementor) theme for WordPress. Versions from earliest release through 5.10.5 inclusive are impacted, with no fixed version listed. Users running any of these releases should review their installation and plan for an update.

Risk and Exploitability

With a CVSS score of 5.4, the vulnerability is considered moderate, yet the EPSS score of less than 1% suggests a small likelihood of exploitation in the wild. The issue is not listed in CISA’s KEV catalog. Exploitation would likely involve web‑based attacks against the theme’s administrative interfaces, possibly requiring some knowledge of WordPress role configuration. Monitoring for unusual access patterns and applying an update mitigate the risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

CodexThemes

TheGem (Elementor)

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.10.5

No data.

Vendor	Product	Confidence	Versions
Codexthemes	Thegem	—	—
Elementor	Elementor	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the TheGem (Elementor) theme to a version newer than 5.10.5 once a patch is available
Verify that WordPress user roles and capabilities are correctly configured, ensuring that sensitive functions are limited to appropriate users
If an immediate update cannot be applied, restrict public access to the theme’s admin pages and monitor server logs for suspicious activity

Generated by OpenCVE AI on April 30, 2026 at 00:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-31304	Missing Authorization vulnerability in CodexThemes TheGem (Elementor) allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects TheGem (Elementor): from n/a through 5.10.5.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00052.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://patchstack.com/database/Wordpress/Theme/thegem-elementor/vulnerability/wordpress-thegem-elementor-theme-5-10-5-broken-access-control-vulnerability?_s_id=cve

History

Thu, 23 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}`

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description	Missing Authorization vulnerability in CodexThemes TheGem (Elementor) allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects TheGem (Elementor): from n/a through 5.10.5.	Missing Authorization vulnerability in CodexThemes TheGem (Elementor) thegem-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TheGem (Elementor): from n/a through <= 5.10.5.
References	https://patchstack.com/database/wordpress/theme/thegem-elementor/vulnerability/wordpress-thegem-elementor-theme-5-10-5-broken-access-control-vulnerability?_s_id=cve	https://patchstack.com/database/Wordpress/Theme/thegem-elementor/vulnerability/wordpress-thegem-elementor-theme-5-10-5-broken-access-control-vulnerability?_s_id=cve
Metrics	cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}`

Mon, 29 Sep 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 29 Sep 2025 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Codexthemes Codexthemes thegem Elementor Elementor elementor Wordpress Wordpress wordpress
Vendors & Products		Codexthemes Codexthemes thegem Elementor Elementor elementor Wordpress Wordpress wordpress

Fri, 26 Sep 2025 08:45:00 +0000

Type	Values Removed	Values Added
Description		Missing Authorization vulnerability in CodexThemes TheGem (Elementor) allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects TheGem (Elementor): from n/a through 5.10.5.
Title		WordPress TheGem (Elementor) Theme <= 5.10.5 - Broken Access Control Vulnerability
Weaknesses		CWE-862
References		https://patchstack.com/database/wordpress/theme/thegem-elementor/vulnerability/wordpress-thegem-elementor-theme-5-10-5-broken-access-control-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L'}`

Subscriptions

Codexthemes Thegem

Elementor Elementor

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2025-09-26T08:31:18.894Z

Updated: 2026-04-28T16:13:54.743Z

Reserved: 2025-09-25T15:20:09.848Z

Link: CVE-2025-60096

Vulnrichment

Updated: 2025-09-29T16:07:32.064Z

NVD

Status : Deferred

Published: 2025-09-26T09:15:34.740

Modified: 2026-04-23T15:34:12.713

Link: CVE-2025-60096

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-30T00:15:23Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object