CVE-2025-62012

Vulnerability

Overview

CVE-2025-62012 is a stored cross-site scripting (XSS) vulnerability affecting the TheGem (Elementor) WordPress theme, an Elementor-compatible theme by CodexThemes. The issue stems from improper neutralization of user-supplied input during web page generation. Versions from n/a through 5.10.5 are impacted. An attacker who can submit content (e.g., a contributor or higher-level user) may inject malicious HTML or JavaScript that is later executed in the browsers of visitors [1].

Exploitation and

Attack Surface

To exploit this vulnerability, an attacker must have an authenticated WordPress account at the Contributor role or above, and must trick a site administrator into performing an action (e.g., clicking a crafted link or submitting a special form). The injected script is stored and triggers when any user—including admins and visitors—views the affected page [1]. This user interaction requirement means the vulnerability cannot be exploited solely by an unauthenticated visitor; it relies on social engineering of a privileged user to complete the injection.

Impact

Successful exploitation allows arbitrary script execution in the context of the victim's browser. This can be used to hijack sessions, redirect users to malicious sites, deface pages, or steal sensitive data such as authentication tokens. The advisory notes that this class of vulnerability is frequently used in mass-exploit campaigns targeting thousands of websites regardless of their size [1].

Mitigation

The vendor has released version 5.10.5.1 which resolves the vulnerability. Users are strongly advised to update to this version immediately. For sites that cannot update promptly, hosting providers or web developers should implement alternative security measures, such as a web application firewall rule or the Patchstack mitigation rule referenced in the advisory [1].