CVE-2026-57804info

Summary

by MITRE • 07/13/2026

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in CodexThemes TheGem Theme Elements (for Elementor) thegem-elements-elementor allows PHP Local File Inclusion.This issue affects TheGem Theme Elements (for Elementor): from n/a through <= 5.11.1.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/13/2026

The vulnerability described represents a critical improper control of filename for include/require statements in PHP applications, commonly categorized as PHP Remote File Inclusion or Local File Inclusion. This flaw exists within the CodexThemes TheGem Theme Elements (for Elementor) plugin, specifically affecting versions up to and including 5.11.1. The issue stems from insufficient validation of user-supplied input that is directly used in PHP include or require statements, creating a pathway for malicious actors to execute arbitrary code on the target system.

The technical implementation of this vulnerability occurs when the plugin fails to properly sanitize or validate filename parameters before using them in PHP include functions such as include(), require(), include_once(), or require_once(). When attackers can manipulate these parameters through HTTP request variables, they can potentially load and execute malicious PHP files from remote servers or local system files. This weakness directly maps to CWE-98 which describes improper control of code generation and execution, specifically related to the inclusion of files based on user input without proper validation.

The operational impact of this vulnerability is severe as it allows attackers to achieve arbitrary code execution on the affected web server. Attackers can leverage this flaw to upload and execute malicious scripts, potentially gaining full control over the compromised system. The vulnerability affects the core functionality of WordPress themes and page builders through Elementor integration, making it particularly dangerous in environments where multiple users have access to content management features. The scope extends beyond simple code execution as attackers may exploit this to establish persistent backdoors, escalate privileges, or move laterally within network infrastructure.

Mitigation strategies should focus on implementing strict input validation and sanitization for all user-supplied parameters used in include/require statements. The recommended approach includes using allowlists of permitted values, implementing proper parameter validation, and avoiding direct use of user input in file inclusion functions. Organizations should also consider implementing web application firewalls to detect and block suspicious patterns associated with file inclusion attacks. Additionally, the ATT&CK framework categorizes this vulnerability under T1190 - Exploit Public-Facing Application, highlighting the importance of maintaining up-to-date software versions and implementing proper access controls. The most effective immediate fix is to upgrade to a patched version of the TheGem Theme Elements plugin where available, as this vulnerability represents a well-known pattern that has been addressed in subsequent releases through proper input validation mechanisms.

Disclosure

07/13/2026

Moderation

in review

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!