CVE-2025-60096
Description
Missing Authorization vulnerability in CodexThemes TheGem (Elementor) thegem-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TheGem (Elementor): from n/a through <= 5.10.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing authorization in TheGem (Elementor) theme ≤5.10.5 allows authenticated low-privilege users to access restricted functionality.
Vulnerability
Description TheGem (Elementor) theme for WordPress contains a missing authorization vulnerability in versions up to and including 5.10.5. The plugin fails to properly verify access rights on certain administrative functions, leading to broken access control [1].
Exploitation
An authenticated attacker with minimal privileges (e.g., subscriber or contributor) can exploit this flaw by making crafted requests to endpoints that lack proper authorization checks. No additional authentication is required; the attacker simply needs a valid WordPress user account [1].
Impact
Successful exploitation allows the attacker to perform actions intended for higher-privileged users, such as modifying theme settings, creating or deleting users, or altering content. This can compromise the security and integrity of the WordPress site [1].
Mitigation
The vendor has released a fix in version 5.10.6. Users are strongly advised to update to the latest version or apply a firewall rule to block malicious requests. If unable to update, consider restricting file permissions or using a web application firewall [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <= 5.10.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.