Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) allows DOM-Based XSS.This issue affects TheGem Theme Elements (for Elementor): from n/a before 5.12.1.1.
Published: 2026-04-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: DOM‑Based Cross‑Site Scripting (XSS)
Action: Patch Immediately
AI Analysis

Impact

Improper neutralization of input during page generation in the CodexThemes TheGem Theme Elements (for Elementor) WordPress plugin allows an attacker to inject malicious script that is executed in the victim’s browser. The result is DOM‑based XSS, giving the attacker the ability to run arbitrary JavaScript when the page is rendered. This can lead to client‑side code execution within the context of the site’s domain.

Affected Systems

The vulnerability is present in all versions of TheGem Theme Elements (for Elementor) that precede version 5.12.1.1. Any WordPress site using an unpublished or older release of the plugin is therefore vulnerable.

Risk and Exploitability

The CVSS score of 6.5 reflects a moderate risk level. The EPSS score of less than 1 % indicates a low probability of exploitation in the wild, and the vulnerability is not flagged in the CISA KEV catalog. The likely attack vector involves the injection of malicious input through the Elementor editor or via crafted URLs that render unsafe content, which is inferred from the description of the XSS flaw. Exploitation would require the victim to visit or interact with such rendered content; no privilege escalation is described.

Generated by OpenCVE AI on April 28, 2026 at 13:05 UTC.

Remediation

Vendor Solution

Update the WordPress TheGem Theme Elements (for Elementor) Plugin to the latest available version (at least 5.12.1.1).

OpenCVE Recommended Actions

  • Update TheGem Theme Elements (for Elementor) plugin to version 5.12.1.1 or later.
  • Keep WordPress core and all other plugins updated to the latest stable releases to reduce overall attack surface.
  • Restrict Elementor editor access to the administrator role only, ensuring unauthorized users cannot submit potentially unsafe content.

Generated by OpenCVE AI on April 28, 2026 at 13:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Codexthemes
Codexthemes thegem Theme Elements (for Elementor)
Wordpress
Wordpress wordpress
Vendors & Products Codexthemes
Codexthemes thegem Theme Elements (for Elementor)
Wordpress
Wordpress wordpress

Mon, 27 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 11:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) allows DOM-Based XSS.This issue affects TheGem Theme Elements (for Elementor): from n/a before 5.12.1.1.
Title WordPress TheGem theme Elements (for Elementor) plugin < 5.12.1.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Codexthemes Thegem Theme Elements (for Elementor)
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-27T13:39:25.112Z

Reserved: 2026-04-27T10:39:10.015Z

Link: CVE-2026-42410

cve-icon Vulnrichment

Updated: 2026-04-27T13:39:14.594Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T12:16:23.883

Modified: 2026-04-27T18:37:59.213

Link: CVE-2026-42410

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:15:31Z

Weaknesses