The Gem (Elementor) theme contains an XSS flaw caused by insufficient sanitization of data that is subsequently injected into a page’s output. An attacker can craft input that is stored in theme options, widget content, or other editable fields and that is rendered without escaping, thereby causing arbitrary JavaScript to run in the browsers of visitors to affected pages. This could allow session hijacking, credential theft, or defacement of user‑facing content.

CodexThemes TheGem (Elementor) theme for WordPress, all releases up through version 5.10.5, including the 5.10.5 snapshot and all earlier minor revisions.

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1 % suggests a low likelihood of active exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The description indicates that the flaw arises from unsanitized user input that the theme renders, so the most probable attack vector is through any user‐editable content that the theme outputs; however, the specific affected fields are not enumerated in the advisory, so site operators must audit all places where the theme accepts and displays input without applying proper escaping.