Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.10.5.1.
Published: 2025-12-23
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a local file inclusion flaw caused by improper validation of filenames used in PHP include/require statements. An attacker can supply a crafted path that resolves to an arbitrary file on the server, potentially exposing sensitive configuration files or enabling code execution if remote file inclusion is possible. This weakness aligns with CWE-98, reflecting incorrect handling of user input as a filename. The vulnerability allows the attacker to read arbitrary files, which may lead to information disclosure and, if remote files are allowed, to remote code execution.

Affected Systems

CodexThemes TheGem Theme Elements (for Elementor) plugin version 5.10.5.1 and earlier. The issue affects all releases up to and including 5.10.5.1.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector involves sending a crafted URL or input that manipulates the filename in the plugin’s include logic; an attacker would need access to a part of the site that allows input to the include path. Successful exploitation could expose local files and, in the case remote file inclusion is enabled, run arbitrary PHP code on the server.

Generated by OpenCVE AI on April 29, 2026 at 18:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the TheGem Theme Elements (for Elementor) plugin to a version newer than 5.10.5.1.
  • If updating is not possible immediately, apply a PHP open_basedir restriction to prevent the plugin from accessing files outside of the allowed directory, effectively blocking arbitrary includes.
  • Restrict file system permissions on the WordPress installation so that the web server cannot read sensitive configuration files.

Generated by OpenCVE AI on April 29, 2026 at 18:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor).This issue affects TheGem Theme Elements (for Elementor): from n/a through 5.10.5.1. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.10.5.1.
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 23 Dec 2025 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Codexthemes
Codexthemes thegem
Elementor
Elementor elementor
Wordpress
Wordpress wordpress
Vendors & Products Codexthemes
Codexthemes thegem
Elementor
Elementor elementor
Wordpress
Wordpress wordpress

Tue, 23 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 23 Dec 2025 11:45:00 +0000

Type Values Removed Values Added
Description Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor).This issue affects TheGem Theme Elements (for Elementor): from n/a through 5.10.5.1.
Title WordPress TheGem Theme Elements (for Elementor) plugin <= 5.10.5.1 - Local File Inclusion vulnerability
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Codexthemes Thegem
Elementor Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:30.348Z

Reserved: 2025-12-19T10:17:23.837Z

Link: CVE-2025-68560

cve-icon Vulnrichment

Updated: 2025-12-23T14:36:33.578Z

cve-icon NVD

Status : Deferred

Published: 2025-12-23T12:15:46.430

Modified: 2026-04-23T15:36:01.487

Link: CVE-2025-68560

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T18:45:17Z

Weaknesses