CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
What the vulnerability does
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.10.5.1.
Explanation of Vulnerability in Simple Terms
TheGem Theme Elements for Elementor contains a code injection vulnerability affecting versions up to 5.10.5.1. An authenticated user with low privileges can inject and execute arbitrary code on the site, potentially compromising the entire WordPress installation. The vulnerability requires network access and some attack complexity but grants full control over site data and functionality.
What an attacker can do
Run arbitrary code on the site with the privileges of the WordPress user account.
Potential impact on your site
A compromised user account can execute code, modify site content, steal data, or install malware.
Conditions required to exploit
Attacker must have a low-privilege WordPress user account (e.g., subscriber or contributor role).
Key dates
External resources
Related vulnerabilities
