{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-42410", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-27T10:39:10.015Z", "datePublished": "2026-04-27T10:41:03.641Z", "dateUpdated": "2026-04-27T13:39:25.112Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-27T10:41:03.641Z"}, "title": "WordPress TheGem theme Elements (for Elementor) plugin < 5.12.1.1 - Cross Site Scripting (XSS) vulnerability", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "CAPEC-588 DOM-Based XSS"}]}], "affected": [{"vendor": "CodexThemes", "product": "TheGem Theme Elements (for Elementor)", "versions": [{"status": "affected", "version": "n/a", "lessThan": "5.12.1.1", "changes": [{"at": "5.12.1.1", "status": "unaffected"}], "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) allows DOM-Based XSS.This issue affects TheGem Theme Elements (for Elementor): from n/a before 5.12.1.1.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) allows DOM-Based XSS.<p>This issue affects TheGem Theme Elements (for Elementor): from n/a before 5.12.1.1.</p>"}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/thegem-elements-elementor/vulnerability/wordpress-thegem-theme-elements-for-elementor-plugin-5-12-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L"}}], "solutions": [{"lang": "en", "value": "Update the WordPress TheGem Theme Elements (for Elementor) Plugin to the latest available version (at least 5.12.1.1).", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Update the WordPress TheGem Theme Elements (for Elementor) Plugin to the latest available version (at least 5.12.1.1)."}]}], "credits": [{"lang": "en", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program", "user": "00000000-0000-4000-9000-000000000000", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T13:39:09.698522Z", "id": "CVE-2026-42410", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:39:25.112Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-42410", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-27T13:39:09.698522Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T13:39:14.594Z"}}], "cna": {"title": "WordPress TheGem theme Elements (for Elementor) plugin < 5.12.1.1 - Cross Site Scripting (XSS) vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Jo\u00e3o Pedro S Alc\u00e2ntara (Kinorth) | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-588", "descriptions": [{"lang": "en", "value": "CAPEC-588 DOM-Based XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "CodexThemes", "product": "TheGem Theme Elements (for Elementor)", "versions": [{"status": "affected", "changes": [{"at": "5.12.1.1", "status": "unaffected"}], "version": "n/a", "lessThan": "5.12.1.1", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Update the WordPress TheGem Theme Elements (for Elementor) Plugin to the latest available version (at least 5.12.1.1).", "supportingMedia": [{"type": "text/html", "value": "Update the WordPress TheGem Theme Elements (for Elementor) Plugin to the latest available version (at least 5.12.1.1).", "base64": false}]}], "references": [{"url": "https://patchstack.com/database/wordpress/plugin/thegem-elements-elementor/vulnerability/wordpress-thegem-theme-elements-for-elementor-plugin-5-12-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) allows DOM-Based XSS.This issue affects TheGem Theme Elements (for Elementor): from n/a before 5.12.1.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) allows DOM-Based XSS.<p>This issue affects TheGem Theme Elements (for Elementor): from n/a before 5.12.1.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-27T10:41:03.641Z"}}}, "cveMetadata": {"cveId": "CVE-2026-42410", "state": "PUBLISHED", "dateUpdated": "2026-04-27T13:39:25.112Z", "dateReserved": "2026-04-27T10:39:10.015Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-27T10:41:03.641Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) allows DOM-Based XSS.This issue affects TheGem Theme Elements (for Elementor): from n/a before 5.12.1.1."}], "id": "CVE-2026-42410", "lastModified": "2026-04-27T18:37:59.213", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 3.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-04-27T12:16:23.883", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/wordpress/plugin/thegem-elements-elementor/vulnerability/wordpress-thegem-theme-elements-for-elementor-plugin-5-12-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.12.1.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "TheGem Theme Elements (for Elementor)", "source": "cna", "vendor": "CodexThemes"}, "product": "thegem_theme_elements_(for_elementor)", "vendor": "codexthemes"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T13:05:39.854025+00:00", "value": {"mitigation_remediation": ["Update TheGem Theme Elements (for Elementor) plugin to version 5.12.1.1 or later.", "Keep WordPress core and all other plugins updated to the latest stable releases to reduce overall attack surface.", "Restrict Elementor editor access to the administrator role only, ensuring unauthorized users cannot submit potentially unsafe content."], "summary": {"action": "Patch Immediately", "impact": "DOM\u2011Based Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The vulnerability is present in all versions of TheGem Theme Elements (for Elementor) that precede version 5.12.1.1. Any WordPress site using an unpublished or older release of the plugin is therefore vulnerable.", "description_and_impact": "Improper neutralization of input during page generation in the CodexThemes TheGem Theme Elements (for Elementor) WordPress plugin allows an attacker to inject malicious script that is executed in the victim\u2019s browser. The result is DOM\u2011based XSS, giving the attacker the ability to run arbitrary JavaScript when the page is rendered. This can lead to client\u2011side code execution within the context of the site\u2019s domain.", "risk_and_exploitability": "The CVSS score of 6.5 reflects a moderate risk level. The EPSS score of less than 1\u202f% indicates a low probability of exploitation in the wild, and the vulnerability is not flagged in the CISA KEV catalog. The likely attack vector involves the injection of malicious input through the Elementor editor or via crafted URLs that render unsafe content, which is inferred from the description of the XSS flaw. Exploitation would require the victim to visit or interact with such rendered content; no privilege escalation is described."}}}}, "created": "2026-04-28T09:17:12.859552+00:00", "updated": "2026-04-28T13:15:31.874518+00:00", "vendors": ["codexthemes", "codexthemes$PRODUCT$thegem_theme_elements_(for_elementor)", "wordpress", "wordpress$PRODUCT$wordpress"]}