CVE-2025-62041

Vulnerability

Overview

TheGem (Elementor) theme for WordPress, developed by CodexThemes, contains a reflected Cross-Site Scripting (XSS) vulnerability in the thegem-elementor component. The issue stems from improper neutralization of user-supplied input during web page generation (CWE-79). Versions from n/a through 5.10.5.1 are affected [1].

Exploitation

An attacker with contributor-level privileges or higher can inject malicious scripts into the website. User interaction is required for successful exploitation—a privileged user must click a malicious link, visit a crafted page, or submit a form. This vulnerability is considered moderately dangerous and is expected to be used in mass-exploit campaigns targeting thousands of websites regardless of their traffic or popularity [1].

Impact and

Risk

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to redirects to malicious sites, injection of advertisements or other HTML payloads, and potentially further compromise of the website or its visitors [1].

Mitigation

The vendor has released version 5.10.5.2 which resolves the vulnerability. Users are strongly advised to update immediately. For those unable to update, a mitigation rule is available from Patchstack to block attacks until the update can be applied [1].