CVE-2026-42410
Received Received - Intake
DOM-Based XSS in TheGem Theme Elements for Elementor

Publication date: 2026-04-27

Last updated on: 2026-04-27

Assigner: Patchstack

Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) allows DOM-Based XSS.This issue affects TheGem Theme Elements (for Elementor): from n/a before 5.12.1.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-27
EPSS Evaluated
2026-06-14
NVD
CVE-2026-42410
EUVD
EUVD-2026-25822
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
codexthemes thegem_theme_elements From 5.12.1.1 (inc) to 5.12.1.1 (exc)
codexthemes thegem_theme_elements to 5.12.1.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42410 is a Cross Site Scripting (XSS) vulnerability affecting the WordPress TheGem Theme Elements (for Elementor) Plugin versions prior to 5.12.1.1.

This vulnerability allows attackers to inject malicious scriptsβ€”such as redirects, advertisements, or other HTML payloadsβ€”that execute when visitors access the compromised site.

The issue requires a user with at least Contributor or Developer privileges to perform an action like clicking a malicious link, visiting a crafted page, or submitting a form for successful exploitation.

Impact Analysis

This vulnerability can lead to the execution of malicious scripts on your website, which may result in unwanted redirects, display of unauthorized advertisements, or other harmful HTML payloads.

Because exploitation requires user interaction and certain privileges, the impact is considered moderate with a CVSS score of 6.5.

However, such vulnerabilities are often targeted in mass campaigns affecting many websites, potentially compromising site integrity and user trust.

Detection Guidance

This vulnerability is a DOM-Based Cross Site Scripting (XSS) issue in the TheGem Theme Elements (for Elementor) plugin versions prior to 5.12.1.1. Detection typically involves identifying if the vulnerable plugin version is installed and if malicious scripts are being injected or executed.

Since the vulnerability requires user interaction such as clicking a malicious link or submitting a form, monitoring web traffic for suspicious payloads or unusual script injections can help detect exploitation attempts.

Specific commands are not provided in the available resources, but general detection steps include:

  • Check the installed version of TheGem Theme Elements plugin to see if it is older than 5.12.1.1.
  • Use web application scanners or security plugins that detect XSS vulnerabilities.
  • Monitor HTTP requests and responses for suspicious script injections or unusual parameters.
  • Review user activity logs for unexpected actions by users with Contributor or Developer privileges.
Mitigation Strategies

The primary and most effective mitigation step is to update the TheGem Theme Elements (for Elementor) plugin to version 5.12.1.1 or later, where the vulnerability is fixed.

If immediate updating is not possible, users are advised to seek assistance from their hosting provider or web developer to apply temporary mitigations or monitoring.

Additionally, enabling auto-updates for the plugin can help ensure that future vulnerabilities are patched promptly.

Limiting user privileges to only necessary roles and educating users about the risks of clicking unknown links or submitting untrusted forms can reduce the risk of exploitation.

Compliance Impact

The vulnerability is a Cross Site Scripting (XSS) issue that allows attackers to inject malicious scripts which can execute in the context of users visiting the compromised site.

Such vulnerabilities can potentially lead to unauthorized access to user data or session hijacking, which may impact compliance with data protection regulations like GDPR or HIPAA by exposing personal or sensitive information.

However, the provided information does not explicitly describe the direct impact of this vulnerability on compliance with specific standards or regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42410. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart