Skip to main content

Rtmkit

3 CVEs product

Monthly

CVE-2026-5137 MEDIUM This Month

Local File Inclusion in the RTMKit (rometheme-for-elementor) plugin for WordPress versions up to and including 2.0.7 allows authenticated attackers with Contributor-level access to include and execute arbitrary PHP code on the server. The render_templates AJAX endpoint passes the unsanitized 'template' parameter directly into a PHP require/include statement, restricted only to files ending in _templates.php. Wordfence reported this vulnerability; no public exploit code or CISA KEV listing is present at time of analysis.

WordPress LFI Information Disclosure PHP Rtmkit
NVD
CVSS 3.1
4.3
EPSS
0.3%
CVE-2026-8351 MEDIUM This Month

Stored Cross-Site Scripting in RTMKit (rometheme-for-elementor) versions up to and including 2.0.7 allows authenticated contributors to persist arbitrary JavaScript in WordPress pages via the Advanced Heading widget's 'Background Text' field. The root cause is the direct concatenation of the user-controlled `background_text_heading` setting into an HTML attribute inside the widget's `render()` function without applying WordPress's `esc_attr()` sanitization, reported by Wordfence. No active exploitation is confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, but the contributor-level access prerequisite makes this realistically exploitable on multi-author or open-registration WordPress sites.

WordPress XSS Rtmkit
NVD
CVSS 3.1
6.4
EPSS
0.2%
CVE-2026-5149 MEDIUM This Month

Unauthorized form submission disclosure in RTMKit (rometheme-for-elementor) versions up to and including 2.0.7 allows any Contributor-level WordPress user to read arbitrary form submissions belonging to other users. The root cause is a missing capability check on the get_submission_content AJAX endpoint, enabling horizontal privilege escalation across all stored form entries by iterating numeric entry IDs. No public exploit or CISA KEV listing has been identified at time of analysis, but exploitation is mechanically trivial for any authenticated user; sites collecting sensitive PII or business data via RTMKit forms should treat this as high operational priority despite the medium CVSS score.

Authentication Bypass WordPress Rtmkit
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
EPSS 0% CVSS 4.3
MEDIUM This Month

Local File Inclusion in the RTMKit (rometheme-for-elementor) plugin for WordPress versions up to and including 2.0.7 allows authenticated attackers with Contributor-level access to include and execute arbitrary PHP code on the server. The render_templates AJAX endpoint passes the unsanitized 'template' parameter directly into a PHP require/include statement, restricted only to files ending in _templates.php. Wordfence reported this vulnerability; no public exploit code or CISA KEV listing is present at time of analysis.

WordPress LFI Information Disclosure +2
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in RTMKit (rometheme-for-elementor) versions up to and including 2.0.7 allows authenticated contributors to persist arbitrary JavaScript in WordPress pages via the Advanced Heading widget's 'Background Text' field. The root cause is the direct concatenation of the user-controlled `background_text_heading` setting into an HTML attribute inside the widget's `render()` function without applying WordPress's `esc_attr()` sanitization, reported by Wordfence. No active exploitation is confirmed (not listed in CISA KEV) and no public exploit code has been identified at time of analysis, but the contributor-level access prerequisite makes this realistically exploitable on multi-author or open-registration WordPress sites.

WordPress XSS Rtmkit
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Unauthorized form submission disclosure in RTMKit (rometheme-for-elementor) versions up to and including 2.0.7 allows any Contributor-level WordPress user to read arbitrary form submissions belonging to other users. The root cause is a missing capability check on the get_submission_content AJAX endpoint, enabling horizontal privilege escalation across all stored form entries by iterating numeric entry IDs. No public exploit or CISA KEV listing has been identified at time of analysis, but exploitation is mechanically trivial for any authenticated user; sites collecting sensitive PII or business data via RTMKit forms should treat this as high operational priority despite the medium CVSS score.

Authentication Bypass WordPress Rtmkit
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy