Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows Stored XSS.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.0.
Published: 2026-01-06
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

TheGem Theme Elements (for Elementor) contains an improper neutralization of input during web page generation, allowing an attacker to inject malicious JavaScript that is stored and later delivered to other users. This stored XSS flaw can compromise the confidentiality and integrity of website users’ data, potentially leading to session hijacking or credential theft. The weakness is classified as CWE‑79.

Affected Systems

CodexThemes’ TheGem Theme Elements for Elementor plugin is affected. All installations running version 5.11.0 or earlier are vulnerable; newer releases are not listed further in the CVE data.

Risk and Exploitability

The CVSS v3 score of 6.5 indicates a moderate severity, while the EPSS score indicates the likelihood of exploitation is below 1% and the vulnerability is not in the CISA KEV catalog. Attackers would need to supply a crafted input that the plugin accepts and later displays; the path is likely via the plugin’s element editing interface, although the exact vector is not explicitly detailed in the disclosure and is therefore inferred from the stored XSS nature of the flaw.

Generated by OpenCVE AI on April 27, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade theGem Theme Elements (for Elementor) to the latest version, which removes the XSS flaw.
  • If an upgrade is not immediately possible, disable the plugin until a patch is applied.
  • Monitor user input channels that interact with the plugin for unexpected scripts, and apply general XSS prevention controls such as output encoding where feasible.

Generated by OpenCVE AI on April 27, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 07 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Codexthemes
Codexthemes thegem
Elementor
Elementor elementor
Wordpress
Wordpress wordpress
Vendors & Products Codexthemes
Codexthemes thegem
Elementor
Elementor elementor
Wordpress
Wordpress wordpress

Tue, 06 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows Stored XSS.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.0.
Title WordPress TheGem Theme Elements (for Elementor) plugin <= 5.11.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Codexthemes Thegem
Elementor Elementor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:54:53.294Z

Reserved: 2025-12-31T20:12:32.245Z

Link: CVE-2025-69357

cve-icon Vulnrichment

Updated: 2026-01-06T17:25:27.432Z

cve-icon NVD

Status : Deferred

Published: 2026-01-06T17:15:48.327

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69357

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:00:16Z

Weaknesses