The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2
Description
The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2
Remediation
Update WordPress plugin/theme to the latest version. Review WordPress security settings and remove if no longer needed.
---METADATA---
VENDOR: wenxian
PRODUCT: wenxian
AFFECTED_VERSIONS: Versions 0.3.1 and prior
---END_METADATA---
Description Summary:
The wenxian GitHub Actions workflow is vulnerable to command injection via untrusted user input in issue comments, allowing arbitrary code execution on the GitHub runner.
Executive Summary:
An unauthenticated attacker can execute arbitrary code on a GitHub Actions runner by simply posting a crafted comment on a repository using the wenxian tool.
Vulnerability Details
CVE-ID: CVE-2026-34243
Affected Software: wenxian (GitHub Actions workflow)
Affected Versions: Versions 0.3.1 and prior
Vulnerability: The workflow uses
issue_comment.bodydirectly inside a shell command without sanitization. An unauthenticated attacker can post a comment containing shell metacharacters to trigger command injection and execute arbitrary code within the context of the GitHub Actions runner.Business Impact
A successful exploit allows an attacker to hijack the CI/CD pipeline. This can lead to the theft of GitHub secrets (e.g., API keys, cloud credentials), the injection of malicious code into the software supply chain, or unauthorized access to the repository. The CVSS score of 9.8 highlights the extreme risk of supply chain compromise.
Remediation Plan
Immediate Action: Disable the affected GitHub Actions workflow immediately. Since no patch is currently available, manually sanitize the workflow file to use environment variables for user input instead of direct shell interpolation.
Proactive Monitoring: Review GitHub Actions run history for suspicious activity and audit all secrets used by the affected repository for potential compromise.
Compensating Controls: Use "Restrict repository permissions" in GitHub to ensure that the
GITHUB_TOKENhas minimal permissions (read-only) for workflows triggered by external users.Exploitation Status
Public Exploit Available: No
Analyst Notes: As of March 31, 2026, there are no publicly available patches. This vulnerability is particularly dangerous as it can be triggered by any GitHub user by simply commenting on an issue.
Analyst Recommendation
The lack of a vendor patch makes this a critical "zero-day" risk for users of wenxian. Immediate manual intervention is required to secure the GitHub Actions workflow. Ensure that all user-supplied data is treated as untrusted and never passed directly to a shell.