High-Severity Flaws in 'TheGem' WordPress Plugin Expose Sites to RFI and XSS Attacks

Executive Summary

On December 23, 2025, two vulnerabilities were publicly disclosed in the TheGem Theme Elements plugin for Elementor, a popular tool for building WordPress websites. The flaws expose websites to significant risk. The first, CVE-2025-68560, is a high-severity Remote File Inclusion (RFI) vulnerability (CVSS 7.5) that could lead to full server compromise. The second, CVE-2025-68559, is a medium-severity Cross-Site Scripting (XSS) vulnerability (CVSS 6.5). All versions of the plugin up to and including 5.10.5.1 are affected. Website administrators are strongly advised to update the plugin to a patched version immediately to prevent potential exploitation.

Vulnerability Details

CVE-2025-68560: Remote File Inclusion (RFI)

• CVSS Score: 7.5 (High)
• Description: This vulnerability exists due to improper control of filenames used in include or require statements within the plugin's PHP code. An attacker can manipulate input to cause the server to include and execute a PHP file hosted on a remote server. Successful exploitation typically leads to arbitrary code execution with the permissions of the web server process, resulting in a complete compromise of the website and potentially the underlying server.

CVE-2025-68559: Cross-Site Scripting (XSS)

• CVSS Score: 6.5 (Medium)
• Description: This flaw is a result of the plugin failing to properly sanitize user-supplied input before rendering it on a web page. An attacker can inject malicious JavaScript code into a vulnerable page. When a victim visits this page, the script executes in their browser, allowing the attacker to steal session cookies, deface the site, or redirect users to malicious websites.

Affected Systems

• Plugin: CodexThemes TheGem Theme Elements for Elementor
• Affected Versions: All versions up to and including 5.10.5.1

Technical Analysis

The RFI vulnerability (CVE-2025-68560) is the more critical of the two. It likely exists in a function that takes a user-supplied parameter (e.g., from a URL query string or POST body) and uses it directly in a PHP include() statement. An attacker could provide a URL to their own malicious PHP script (e.g., http://attacker.com/shell.txt) as the parameter value, causing the WordPress server to fetch and execute it.

The XSS vulnerability (CVE-2025-68559) is a classic stored or reflected XSS flaw where input is not properly escaped using functions like htmlspecialchars() before being displayed to the user.

MITRE ATT&CK TTPs

• Initial Access: T1190 - Exploit Public-Facing Application (for CVE-2025-68560)
• Execution: T1059.007 - JavaScript (for CVE-2025-68559)
• Execution: T1059.005 - Visual Basic (if PHP webshell is used)
• Persistence: T1505.003 - Web Shell (A common outcome of RFI exploitation)

Impact Assessment

Exploitation of CVE-2025-68560 can lead to a full website takeover. Attackers can steal sensitive data from the website's database (including user credentials), deface the site, inject malware to attack visitors (drive-by downloads), or use the compromised server to send spam or participate in DDoS attacks. The impact is severe.

Exploitation of CVE-2025-68559 primarily affects the website's users. It can lead to account takeover for logged-in users (including administrators) if session cookies are stolen, compromising the integrity of the site.

Cyber Observables for Detection

Detection & Response

1. Web Application Firewall (WAF): Implement a WAF with rulesets designed to block common RFI and XSS attack patterns. This can provide a layer of protection against exploitation attempts. This is a form of D3-ITF: Inbound Traffic Filtering.
2. Log Analysis: Regularly review web server access logs and WAF logs for the observable patterns listed above. A spike in HTTP 404 or 500 errors can also indicate failed exploit attempts.
3. File Integrity Monitoring (FIM): Use a FIM tool to monitor your WordPress installation for unexpected file changes or the appearance of new PHP files, which could indicate a successful webshell upload.

Mitigation

1. Update Immediately: The primary and most effective mitigation is to update TheGem Theme Elements plugin to the latest patched version (greater than 5.10.5.1) through the WordPress dashboard. This is an application of D3-SU: Software Update.
2. Disable Plugin (Temporary): If you cannot update immediately, disable and delete the plugin as a temporary measure to remove the attack surface. This will likely break your site's functionality, so it should only be a last resort.
3. Harden PHP Configuration: To mitigate RFI risks in general, ensure your server's php.ini file has allow_url_fopen and allow_url_include set to Off. This prevents PHP from fetching remote files via include/require statements, breaking most RFI exploits. This is a key part of D3-PH: Platform Hardening.
4. Regular Backups: Maintain regular, automated backups of your website files and database. In the event of a compromise, a clean backup is the fastest way to restore your site.