The Gem (Elementor) theme contains an improper neutralization of input when generating web pages, which permits attackers to inject arbitrary script code. An attacker can embed malicious scripts that execute in the browser of any visitor viewing the affected pages, enabling session hijacking, defacement or other client‑side attacks. The flaw is a typical Cross‑Site Scripting (CWE‑79) weakness, where unsanitized data is reflected or output in the page without proper escaping. Because the script runs in the victim’s context, the attacker can also perform actions with the victim’s privileges, compromising confidentiality and integrity of the site.

All WordPress sites using CodexThemes TheGem (Elementor) theme version 5.10.5.1 or earlier are vulnerable. This includes every installation that has not applied the later patch releases.

The CVSS score of 7.1 marks this flaw as moderate‑to‑high severity, while an EPSS score of less than 1 % suggests a low current exploitation likelihood. The vulnerability is not listed in CISA’s KEV catalog. Attackers can exploit the flaw remotely by supplying crafted input to the theme, such as via theme settings or database content that is not properly sanitized; only a victim’s browser needs to render the page for the script to execute. Based on the description, it is inferred that the most likely attack vector involves unsanitized data being processed through the theme’s output functions, but the CVE text does not explicitly confirm which controls are not sanitized.