Skip to main content

TheGem Theme Elements (Elementor) CVE-2026-42410

| EUVD-2026-25822 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-27 Patchstack
XSS Thegem Theme Elements For Elementor Elementor
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 18:37 nvd
Patch available
Patch available
Apr 27, 2026 - 13:01 EUVD
Analysis Generated
Apr 27, 2026 - 12:00 vuln.today
EUVD ID Assigned
Apr 27, 2026 - 11:30 euvd
EUVD-2026-25822
Analysis Generated
Apr 27, 2026 - 11:30 vuln.today
CVE Published
Apr 27, 2026 - 10:41 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) allows DOM-Based XSS.This issue affects TheGem Theme Elements (for Elementor): from n/a before 5.12.1.1.

AnalysisAI

DOM-based cross-site scripting (XSS) in CodexThemes TheGem Theme Elements plugin for Elementor allows authenticated attackers with low privileges to inject malicious scripts that execute in the context of other users' browsers when user interaction occurs. The vulnerability affects versions before 5.12.1.1 and requires authenticated access and user interaction to exploit, limiting real-world risk compared to network-vector XSS but still enabling session hijacking, credential theft, or unauthorized admin actions on WordPress sites using this plugin.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain contributor credentials or compromise existing account
Delivery
Log into WordPress admin
Exploit
Open Elementor page builder
Install
Inject XSS payload into TheGem element input field
C2
Victim views or edits page
Execute
Malicious script executes in victim's browser DOM context
Impact
Steal session cookie or trigger unauthorized admin action
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) Valid authenticated WordPress user account with at least contributor or editor role (PR:L). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 6.5 with AV:N/AC:L/PR:L/UI:R/S:C indicates moderate severity: network-accessible but requiring authenticated access, low attack complexity, and user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A WordPress site administrator grants a contractor contributor-level editing permissions on the site. The contractor (or an attacker who compromises the contributor account) logs into WordPress, accesses Elementor page builder, and edits a page containing a TheGem Theme Element (e.g., a custom gallery or card component). …
Remediation Upgrade TheGem Theme Elements (for Elementor) to version 5.12.1.1 or later immediately via WordPress plugin management (Plugins > Installed Plugins > TheGem Theme Elements > Update). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-42410 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy