Skip to main content

RTMKit WordPress Plugin EUVDEUVD-2026-37038

| CVE-2026-5149 MEDIUM
Incorrect Authorization (CWE-863)
2026-06-16 Wordfence GHSA-h4qv-p2j9-74cq
6.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
MEDIUM
qualitative
NVD
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network AJAX endpoint requires only Contributor authentication (PR:L); read-only form data disclosure means I:N and A:N with full record exposure justifying C:H.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 06:22 vuln.today
CVE Published
Jun 16, 2026 - 05:33 nvd
MEDIUM 6.5

DescriptionNVD

The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the get_submission_content AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it possible for authenticated attackers, with Contributor-level access and above, to view arbitrary form submissions from other users by iterating the entries_id parameter.

AnalysisAI

Unauthorized form submission disclosure in RTMKit (rometheme-for-elementor) versions up to and including 2.0.7 allows any Contributor-level WordPress user to read arbitrary form submissions belonging to other users. The root cause is a missing capability check on the get_submission_content AJAX endpoint, enabling horizontal privilege escalation across all stored form entries by iterating numeric entry IDs. No public exploit or CISA KEV listing has been identified at time of analysis, but exploitation is mechanically trivial for any authenticated user; sites collecting sensitive PII or business data via RTMKit forms should treat this as high operational priority despite the medium CVSS score.

Technical ContextAI

RTMKit, distributed under the WordPress.org slug 'rometheme-for-elementor' (CPE: cpe:2.3:a:rometheme:rtmkit:*:*:*:*:*:*:*:*), is a WordPress plugin extending Elementor with form-building and submission-management capabilities. The vulnerability resides in Inc/Modules/Submission/SubmissionModule.php at lines 22 and 29, where the get_submission_content AJAX action is registered for both logged-in (wp_ajax_) and potentially privileged contexts without invoking current_user_can() or any equivalent capability gate. CWE-863 (Incorrect Authorization) describes exactly this pattern: access control code exists structurally but fails to verify that the requesting principal has rights to the specific resource being accessed. Because WordPress AJAX endpoints are globally reachable at wp-admin/admin-ajax.php for any authenticated session, the absence of a capability check means the authorization boundary is entirely absent for this action, not merely weakened.

RemediationAI

The primary fix is to update RTMKit (rometheme-for-elementor) to version 2.0.8 or later via the WordPress plugin dashboard or by downloading the patched release from the WordPress.org plugin repository. The fix is confirmed in Trac changeset 3568335 (https://plugins.trac.wordpress.org/changeset/3568335/rometheme-for-elementor/trunk/Inc/Modules/Submission/SubmissionModule.php), which adds the missing capability check to the get_submission_content AJAX handler. If immediate patching is not possible, administrators should audit and restrict Contributor-level user accounts to only trusted individuals - note that this may affect standard editorial workflows on sites using WordPress's built-in role model. As a secondary compensating control, disabling the RTMKit form submission module or deactivating the plugin entirely removes the AJAX endpoint from the attack surface; however, this will break active form collection and submission review functionality. The Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/1fe363b2-8c70-45cd-9fdc-8979f894efd8) should be monitored for updated guidance.

Share

EUVD-2026-37038 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy