CVE-2025-62045 is a remote file inclusion vulnerability found in the CodexThemes TheGem Theme Elements plugin for WPBakery, a popular WordPress page builder. The vulnerability stems from improper validation and control of filenames used in PHP include or require statements within the plugin’s code. This flaw allows an attacker with low-level privileges (authenticated user) to supply a crafted filename that points to a remote malicious file. When the plugin includes this remote file, the attacker can execute arbitrary PHP code on the server, leading to a compromise of the confidentiality and integrity of the affected system. The vulnerability affects all versions of TheGem Theme Elements up to and including 5.10.5.1. The CVSS v3.1 base score is 8.1, indicating a high severity due to network attack vector, low attack complexity, low privileges required, no user interaction, and high impact on confidentiality and integrity. Although no public exploits are currently known, the nature of the vulnerability makes it a critical risk for WordPress sites using this plugin. Attackers could leverage this to deploy web shells, steal sensitive data, or pivot within the network. The vulnerability does not directly impact availability but can indirectly affect service through malicious actions. The issue was reserved in early October 2025 and published in November 2025, with no patch links currently available, indicating that organizations must monitor for updates from CodexThemes and Patchstack. The vulnerability is particularly relevant for websites that rely on TheGem Theme Elements for WPBakery, which is widely used in creative and e-commerce sectors.

For European organizations, this vulnerability poses a significant risk to WordPress-based websites, especially those using TheGem Theme Elements plugin. Successful exploitation could lead to unauthorized code execution, data breaches involving customer or business data, and potential defacement or takeover of websites. This can damage brand reputation, lead to regulatory non-compliance (e.g., GDPR violations due to data exposure), and cause financial losses. E-commerce platforms and service providers relying on WordPress themes are particularly vulnerable, as attackers may steal payment data or customer information. The requirement for low privilege authentication means insider threats or compromised user accounts can be leveraged. Given the widespread use of WordPress in Europe, the threat surface is substantial. Additionally, compromised sites could be used as launchpads for further attacks within corporate networks or to distribute malware to visitors. The lack of current public exploits provides a window for mitigation, but the high CVSS score underscores urgency.

1. Monitor CodexThemes and WPBakery official channels for patches addressing CVE-2025-62045 and apply updates immediately upon release. 2. Until patches are available, restrict PHP include paths by configuring PHP settings (e.g., disable allow_url_include) to prevent remote file inclusion. 3. Implement web application firewalls (WAFs) with rules to detect and block suspicious include/require requests or anomalous HTTP parameters. 4. Limit user privileges on WordPress sites to the minimum necessary to reduce the risk of low-privilege authenticated exploitation. 5. Conduct regular security audits and code reviews of custom themes/plugins to identify unsafe file inclusion patterns. 6. Monitor server and application logs for unusual file inclusion attempts or unexpected remote connections. 7. Employ network segmentation to isolate web servers from critical internal systems to limit lateral movement if compromised. 8. Educate site administrators about the risks of installing unverified plugins and the importance of timely updates. 9. Consider temporary disabling or replacing TheGem Theme Elements plugin if patching is delayed and risk is unacceptable.