CVE-2025-62045
Published: 06 November 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-62045 is an Improper Control of Filename for Include/Require Statement in PHP Program vulnerability, classified as PHP Remote File Inclusion (CWE-98), affecting CodexThemes' TheGem Theme Elements (for WPBakery) plugin, known as thegem-elements, for WordPress. This issue impacts all versions from n/a through 5.10.5.1. Published on 2025-11-06, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting high severity due to its potential for significant impact.
Unauthenticated attackers with network access can exploit this vulnerability, though it requires high attack complexity and no user interaction. Successful exploitation enables high confidentiality, integrity, and availability impacts, allowing attackers to include and execute remote files, potentially leading to remote code execution on the targeted WordPress site.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/thegem-elements/vulnerability/wordpress-thegem-theme-elements-for-wpbakery-plugin-5-10-5-1-local-file-inclusion-vulnerability?_s_id=cve documents the vulnerability and provides mitigation guidance for affected installations of the TheGem Theme Elements plugin up to version 5.10.5.1.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
RFI vulnerability in public-facing WordPress plugin enables unauthenticated remote code execution via exploitation of public-facing application.