Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for WPBakery) thegem-elements allows DOM-Based XSS.This issue affects TheGem Theme Elements (for WPBakery): from n/a through <= 5.11.0.
Published: 2026-01-06
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting capable of defacement or session hijacking
Action: Immediate Patch
AI Analysis

Impact

The Gem Theme Elements plugin contains a DOM‑based XSS flaw caused by inadequate input neutralization when generating web pages. An attacker can inject malicious JavaScript which then executes in the context of a visitor’s browser, allowing defacement, theft of credentials, or other client‑side attacks. The CVSS score of 6.5 classifies it as moderate severity, and the low EPSS value (<1%) indicates that, at the time of assessment, exploitation is unlikely to be widespread. The vulnerability is not listed in CISA’s KEV catalog.

Affected Systems

WordPress installations that use CodexThemes’ TheGem Theme Elements (for WPBakery) plugin up to and including version 5.11.0. Site administrators and users exposed to the plugin’s content are at risk.

Risk and Exploitability

The vulnerability can be triggered by loading a page that processes untrusted input from the plugin, typically via user‑submitted content or admin‑configurable elements. Exploitation requires that the victim view a crafted page, after which arbitrary code runs with the victim’s privileges. Given the moderate CVSS score and a very low EPSS, the immediate tactical risk is moderate, but the potential for social engineering attacks remains.

Generated by OpenCVE AI on April 27, 2026 at 21:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade thegem‑elements to the newest release that removes the XSS flaw
  • If an upgrade is not immediately possible, limit the plugin’s exposure by disabling it on public pages or by sanitizing its input via a security plugin
  • Continuously monitor access logs for suspicious script executions and apply general XSS prevention measures such as input validation and content security policies

Generated by OpenCVE AI on April 27, 2026 at 21:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 07 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Codexthemes
Codexthemes thegem
Wordpress
Wordpress wordpress
Vendors & Products Codexthemes
Codexthemes thegem
Wordpress
Wordpress wordpress

Tue, 06 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 06 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for WPBakery) thegem-elements allows DOM-Based XSS.This issue affects TheGem Theme Elements (for WPBakery): from n/a through <= 5.11.0.
Title WordPress TheGem Theme Elements (for WPBakery) plugin <= 5.11.0 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Codexthemes Thegem
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:55:02.189Z

Reserved: 2025-12-31T20:12:32.245Z

Link: CVE-2025-69360

cve-icon Vulnrichment

Updated: 2026-01-06T17:44:52.856Z

cve-icon NVD

Status : Deferred

Published: 2026-01-06T17:15:48.557

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69360

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:00:16Z

Weaknesses