cbcvebase.

Rometheme Rtmkit vulnerabilities

14 known vulnerabilities affecting rometheme/rtmkit.

Total CVEs
14
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH1MEDIUM11

Vulnerabilities

Page 1 of 1
CVE-2025-30911P2CRITICALCVSS 9.9≤ 1.5.42025-04-01
CVE-2025-30911 [CRITICAL] CWE-94 CVE-2025-30911: Improper Control of Generation of Code ('Code Injection') vulnerability in Rometheme RTMKit romethem Improper Control of Generation of Code ('Code Injection') vulnerability in Rometheme RTMKit rometheme-for-elementor allows Command Injection.This issue affects RTMKit: from n/a through <= 1.5.4.
nvd
CVE-2025-62065P2CRITICALCVSS 9.9≤ 1.6.52025-11-06
CVE-2025-62065 [CRITICAL] CWE-434 CVE-2025-62065: Unrestricted Upload of File with Dangerous Type vulnerability in Rometheme RTMKit rometheme-for-elem Unrestricted Upload of File with Dangerous Type vulnerability in Rometheme RTMKit rometheme-for-elementor.This issue affects RTMKit: from n/a through <= 1.6.5.
nvd
CVE-2026-3425P3HIGHCVSS 8.8≤ 2.0.22026-05-13
CVE-2026-3425 [HIGH] CWE-98 CVE-2026-3425: The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all ve The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.2 via the 'path' parameter of the 'get_content' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to include and execute arbitrary PHP files on the server, allowing the exe
nvd
CVE-2026-5149P3MEDIUMCVSS 6.5≤ 2.0.72026-06-16
CVE-2026-5149 [MEDIUM] CWE-863 CVE-2026-5149: The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the get_submission_content AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it possible for authenticated attackers, with Contributor-le
nvd
CVE-2025-64283P3MEDIUMCVSS 6.5≤ 1.6.72025-10-29
CVE-2025-64283 [MEDIUM] CWE-639 CVE-2025-64283: Authorization Bypass Through User-Controlled Key vulnerability in Rometheme RTMKit rometheme-for-ele Authorization Bypass Through User-Controlled Key vulnerability in Rometheme RTMKit rometheme-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects RTMKit: from n/a through <= 1.6.7.
nvd
CVE-2025-8609P4MEDIUMCVSS 6.4≤ 1.6.52025-11-18
CVE-2025-8609 [MEDIUM] CWE-79 CVE-2025-8609: The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting vi The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Accordion Block's attributes in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level acc
nvd
CVE-2024-47626P4MEDIUMCVSS 6.5≤ 1.5.02024-10-05
CVE-2024-47626 [MEDIUM] CWE-79 CVE-2024-47626: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rometheme RTMKit rometheme-for-elementor allows Stored XSS.This issue affects RTMKit: from n/a through <= 1.5.0.
nvd
CVE-2025-49235P4MEDIUMCVSS 6.5≤ 1.6.02025-06-06
CVE-2025-49235 [MEDIUM] CWE-79 CVE-2025-49235: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rometheme RTMKit rometheme-for-elementor allows Stored XSS.This issue affects RTMKit: from n/a through <= 1.6.0.
nvd
CVE-2024-32956P4MEDIUMCVSS 6.5≤ 1.4.12024-04-24
CVE-2024-32956 [MEDIUM] CWE-79 CVE-2024-32956: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Rometheme RTMKit rometheme-for-elementor.This issue affects RTMKit: from n/a through <= 1.4.1.
nvd
CVE-2025-12473P4MEDIUMCVSS 6.1≤ 1.6.82026-03-11
CVE-2025-12473 [MEDIUM] CWE-79 CVE-2025-12473: The RTMKit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'themebuilde The RTMKit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'themebuilder' parameter in all versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully tri
nvd
CVE-2026-3426P4MEDIUMCVSS 4.3≤ 2.0.22026-05-13
CVE-2026-3426 [MEDIUM] CWE-862 CVE-2026-3426: The RTMKit Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of d The RTMKit Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the save_widget() and reset_all_widgets() functions in all versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with Author-level access and above, to modify or reset site-wide
nvd
CVE-2024-10326P4MEDIUMCVSS 4.3≤ 1.5.32025-03-08
CVE-2024-10326 [MEDIUM] CWE-862 CVE-2024-10326: The RomethemeKit For Elementor plugin for WordPress is vulnerable to unauthorized modification of da The RomethemeKit For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_options and reset_widgets functions in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings or
nvd
CVE-2025-24743P4MEDIUMCVSS 4.3≤ 1.5.22025-01-27
CVE-2025-24743 [MEDIUM] CWE-862 CVE-2025-24743: Missing Authorization vulnerability in Rometheme RTMKit rometheme-for-elementor.This issue affects R Missing Authorization vulnerability in Rometheme RTMKit rometheme-for-elementor.This issue affects RTMKit: from n/a through <= 1.5.2.
nvd
CVE-2024-10324P4MEDIUMCVSS 4.3≤ 1.5.22025-01-24
CVE-2024-10324 [MEDIUM] CWE-1230 CVE-2024-10324: The RomethemeKit For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure The RomethemeKit For Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.5.2 via the register_controls function in widgets/offcanvas-rometheme.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and
nvd
Rometheme Rtmkit vulnerabilities | cvebase