TheGem Theme Elements (for Elementor) plugin contains an improper control of the filename in PHP include/require statements, which can be abused to include local files on the server. This vulnerability can allow an attacker to read sensitive files such as application configuration, credentials, or webroot files, and in some circumstances can lead to code execution if the attacker can trick the server into including a crafted file containing executable code. The weakness is categorized as CWE‑98 and has a CVSS score of 7.5, indicating a high severity with potential to undermine confidentiality and integrity of the affected system.

CodexThemes’ TheGem Theme Elements (for Elementor) plugin, all releases from its introduction up to and including version 5.11.0. The exact version information is limited to an upper bound; any deployment running 5.11.0 or older is vulnerable.

The EPSS score of less than 1% suggests that exploitation is currently rare, and the vulnerability is not listed in CISA’s KEV catalog. However, once compromised, an attacker could move laterally across the application by reading configuration files and potentially injecting code via included files. The attack vector is most likely through crafted user input or crafted URLs that influence the include path, as inferred from the nature of local file inclusion flaws. Given the high CVSS score and the potential impact, the risk remains significant if the plugin is not updated.