Rt Theme 18 Extensions
Monthly
Reflected cross-site scripting in the stmcan RT-Theme 18 | Extensions WordPress plugin (all versions up to and including 2.5) lets remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is changed (S:C), a successful payload can affect resources beyond the vulnerable component, such as the WordPress session context. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; disclosure comes from Patchstack.
PHP Object Injection in the RT-Theme 18 | Extensions plugin (rt18-extensions) for WordPress affects all versions up to and including 2.5, allowing remote attackers to inject arbitrary PHP objects by supplying crafted serialized data to an unsafe deserialization sink. Because the CVSS vector reports PR:N/UI:N, exploitation does not require authentication or user interaction, and impact escalates to full compromise (confidentiality, integrity, availability all High) when a usable POP gadget chain is present in the WordPress stack. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; the 9.8 base score reflects worst-case object-injection potential rather than confirmed in-the-wild activity.
PHP Local File Inclusion in the WordPress RT-Theme 18 | Extensions plugin (rt18-extensions) by stmcan lets remote attackers coerce the plugin into including attacker-influenced local file paths in an include/require statement, exposing sensitive files and potentially achieving code execution if a suitable includable file exists. All versions from an unspecified start through 2.5 are affected. No public exploit identified at time of analysis and it is not on CISA KEV, but the CVSS 3.1 base score is 8.1 (high) and the flaw is reachable without authentication.
RT-Theme 18 Extensions WordPress plugin versions up to 2.5 exposes sensitive data through insertion of information into sent data, allowing unauthenticated remote attackers to retrieve embedded sensitive information with low attack complexity. The vulnerability affects the plugin's data transmission mechanisms and has an EPSS exploitation probability of 0.02%, indicating minimal real-world attack likelihood despite the moderate CVSS score.
Cross-site request forgery (CSRF) in stmcan RT-Theme 18 Extensions plugin version 2.5 and earlier allows unauthenticated remote attackers to perform unintended actions on behalf of authenticated users through crafted requests, requiring user interaction. EPSS exploitation probability is minimal at 0.01%, and no public exploit code or active exploitation has been identified; however, the vulnerability carries real-world risk due to the low technical bar for CSRF attacks and the plugin's web-accessible attack surface.
Reflected cross-site scripting in the stmcan RT-Theme 18 | Extensions WordPress plugin (all versions up to and including 2.5) lets remote attackers inject arbitrary JavaScript that executes in a victim's browser when they follow a crafted link. Because the CVSS scope is changed (S:C), a successful payload can affect resources beyond the vulnerable component, such as the WordPress session context. No public exploit has been identified at time of analysis and the vulnerability is not listed in CISA KEV; disclosure comes from Patchstack.
PHP Object Injection in the RT-Theme 18 | Extensions plugin (rt18-extensions) for WordPress affects all versions up to and including 2.5, allowing remote attackers to inject arbitrary PHP objects by supplying crafted serialized data to an unsafe deserialization sink. Because the CVSS vector reports PR:N/UI:N, exploitation does not require authentication or user interaction, and impact escalates to full compromise (confidentiality, integrity, availability all High) when a usable POP gadget chain is present in the WordPress stack. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; the 9.8 base score reflects worst-case object-injection potential rather than confirmed in-the-wild activity.
PHP Local File Inclusion in the WordPress RT-Theme 18 | Extensions plugin (rt18-extensions) by stmcan lets remote attackers coerce the plugin into including attacker-influenced local file paths in an include/require statement, exposing sensitive files and potentially achieving code execution if a suitable includable file exists. All versions from an unspecified start through 2.5 are affected. No public exploit identified at time of analysis and it is not on CISA KEV, but the CVSS 3.1 base score is 8.1 (high) and the flaw is reachable without authentication.
RT-Theme 18 Extensions WordPress plugin versions up to 2.5 exposes sensitive data through insertion of information into sent data, allowing unauthenticated remote attackers to retrieve embedded sensitive information with low attack complexity. The vulnerability affects the plugin's data transmission mechanisms and has an EPSS exploitation probability of 0.02%, indicating minimal real-world attack likelihood despite the moderate CVSS score.
Cross-site request forgery (CSRF) in stmcan RT-Theme 18 Extensions plugin version 2.5 and earlier allows unauthenticated remote attackers to perform unintended actions on behalf of authenticated users through crafted requests, requiring user interaction. EPSS exploitation probability is minimal at 0.01%, and no public exploit code or active exploitation has been identified; however, the vulnerability carries real-world risk due to the low technical bar for CSRF attacks and the plugin's web-accessible attack surface.