CVE-2025-62044: 
WordPress vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in TheGem Theme Elements (for WPBakery) WordPress plugin versions 5.10.5.1 and below. The vulnerability was identified and reported by João Pedro S Alcântara (Kinorth) on October 16, 2025, and was assigned CVE-2025-62044 (Wordfence).

The vulnerability has been assigned a CVSS score of 6.5, indicating a moderate severity level. The attack vector is characterized by CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, suggesting that it requires network access, low attack complexity, and low privileges to exploit. The vulnerability falls under the OWASP Top 10 category A3: Injection (Patchstack).

This vulnerability could allow malicious actors to inject harmful scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when visitors access the affected site. The vulnerability requires at least Contributor-level privileges to exploit (Patchstack).

The vulnerability has been patched in version 5.10.5.2 of TheGem Theme Elements plugin. Site administrators are advised to update to version 5.10.5.2 or later to remove the vulnerability. Users of Patchstack can enable auto-update functionality for vulnerable plugins as an additional security measure (Patchstack).