{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-69356", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-31T20:12:32.245Z", "datePublished": "2026-01-06T16:36:41.397Z", "dateUpdated": "2026-04-28T20:54:43.787Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "thegem-elements-elementor", "product": "TheGem Theme Elements (for Elementor)", "vendor": "CodexThemes", "versions": [{"changes": [{"at": "5.11.1", "status": "unaffected"}], "lessThanOrEqual": "5.11.0", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:10.188Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows PHP Local File Inclusion.<p>This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.0.</p>"}], "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows PHP Local File Inclusion.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.0."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:38.767Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/thegem-elements-elementor/vulnerability/wordpress-thegem-theme-elements-for-elementor-plugin-5-11-0-local-file-inclusion-vulnerability?_s_id=cve"}], "title": "WordPress TheGem Theme Elements (for Elementor) plugin <= 5.11.0 - Local File Inclusion vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-13T14:18:16.736867Z", "id": "CVE-2025-69356", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T20:54:43.787Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69356", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-13T14:18:16.736867Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-13T14:18:09.763Z"}}], "cna": {"title": "WordPress TheGem Theme Elements (for Elementor) plugin <= 5.11.0 - Local File Inclusion vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "PHP Local File Inclusion"}]}], "affected": [{"vendor": "CodexThemes", "product": "TheGem Theme Elements (for Elementor)", "versions": [{"status": "affected", "changes": [{"at": "5.11.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "5.11.0"}], "packageName": "thegem-elements-elementor", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-01T16:04:10.188Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/thegem-elements-elementor/vulnerability/wordpress-thegem-theme-elements-for-elementor-plugin-5-11-0-local-file-inclusion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows PHP Local File Inclusion.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.0.", "supportingMedia": [{"type": "text/html", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows PHP Local File Inclusion.<p>This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.0.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-98", "description": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-01T14:13:21.517Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69356", "state": "PUBLISHED", "dateUpdated": "2026-04-01T14:13:21.517Z", "dateReserved": "2025-12-31T20:12:32.245Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-06T16:36:41.397Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows PHP Local File Inclusion.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.0."}], "id": "CVE-2025-69356", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-01-06T17:15:48.207", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/thegem-elements-elementor/vulnerability/wordpress-thegem-theme-elements-for-elementor-plugin-5-11-0-local-file-inclusion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-98"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T10:03:27.980093+00:00", "value": {"mitigation_remediation": ["Upgrade to TheGem Theme Elements (for Elementor) 5.11.1 or later, which contains the fix for the filename inclusion issue.", "Disable remote URL loading and restrict file inclusion paths to safe directories only, preventing unintended file access from user-supplied parameters.", "Apply general WordPress best practices: restrict file permissions on the webroot, maintain regular backups, and monitor file changes or error logs for signs of exploitation attempts."], "summary": {"action": "Apply Patch", "impact": "Local File Inclusion enabling arbitrary file read and potential code execution on the web server"}, "threat_synthesis": {"affected_systems": "CodexThemes\u2019 TheGem Theme Elements (for Elementor) plugin, all releases from its introduction up to and including version 5.11.0. The exact version information is limited to an upper bound; any deployment running 5.11.0 or older is vulnerable.", "description_and_impact": "TheGem Theme Elements (for Elementor) plugin contains an improper control of the filename in PHP include/require statements, which can be abused to include local files on the server. This vulnerability can allow an attacker to read sensitive files such as application configuration, credentials, or webroot files, and in some circumstances can lead to code execution if the attacker can trick the server into including a crafted file containing executable code. The weakness is categorized as CWE\u201198 and has a CVSS score of 7.5, indicating a high severity with potential to undermine confidentiality and integrity of the affected system.", "risk_and_exploitability": "The EPSS score of less than 1% suggests that exploitation is currently rare, and the vulnerability is not listed in CISA\u2019s KEV catalog. However, once compromised, an attacker could move laterally across the application by reading configuration files and potentially injecting code via included files. The attack vector is most likely through crafted user input or crafted URLs that influence the include path, as inferred from the nature of local file inclusion flaws. Given the high CVSS score and the potential impact, the risk remains significant if the plugin is not updated."}}}}, "created": "2026-01-07T10:09:04.779351+00:00", "updated": "2026-04-28T10:15:28.846104+00:00", "vendors": ["codexthemes", "codexthemes$PRODUCT$thegem", "elementor", "elementor$PRODUCT$elementor", "wordpress", "wordpress$PRODUCT$wordpress"]}