Improper neutralization of input during web page generation allows a malicious actor to inject arbitrary scripts that run in the browsers of visitors to a compromised site. Such cross‑site scripting can lead to credential theft, session hijacking, defacement, or the delivery of additional malware, compromising the confidentiality, integrity, and availability of user data and the site itself.

The Gem Theme Elements (for WPBakery) plugin by CodexThemes is affected when installed on any WordPress site up to and including version 5.10.5.1. Sites that rely on this plugin for page construction or content rendering are potentially vulnerable if the plugin is left at a version before the fix is released and the site does not apply additional sanitation of user supplied data.

The stated CVSS score of 6.5 indicates a moderate severity vulnerability. The EPSS score of less than 1% suggests that the probability of observed exploitation is very low, although the vulnerability is still measurable and exploitable. The issue is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is the injection of untrusted input into the plugin’s output rendering process, possibly via administrative interfaces or crafted URLs; an attacker who can supply such data can execute arbitrary script code in the victim’s browser.