CVE-2025-62044

The vulnerability is a stored cross-site scripting (XSS) flaw in the WordPress plugin 'TheGem Theme Elements (for WPBakery)', version 5.10.5.1 and earlier. It arises from improper neutralization of input during web page generation, allowing attackers who are authenticated with certain privileges to inject arbitrary web scripts or HTML into pages.

Exploitation requires a privileged user to perform an action, such as clicking a malicious link, visiting a crafted page, or submitting a form. The attack does not necessarily require direct interaction from the victim but relies on a privileged user to trigger the injection. Once triggered, the malicious payload is stored and executed when other users access the affected page.

Successful exploitation enables an attacker to inject malicious scripts, such as redirects, advertisements, or other HTML payloads, which are executed in the browsers of visitors to the site. This can lead to defacement, data theft, or phishing attacks. The CVSS v3 score of 6.5 indicates a medium severity.

The vendor has released a patched version 5.10.5.2 to resolve the vulnerability. Administrators are advised to update the plugin immediately. Patchstack users can enable auto-updates for vulnerable plugins to streamline the process. As this issue is used in mass-exploit campaigns, prompt remediation is recommended [1].