CVE-2026-3425
Rometheme · RTMKit (WordPress Plugin)
The RTMKit Addons for Elementor plugin for WordPress contains a Local File Inclusion vulnerability allowing authenticated attackers to execute arbitrary code.
Executive summary
A critical Local File Inclusion vulnerability in the RTMKit Addons for Elementor plugin for WordPress allows authenticated attackers to potentially achieve remote code execution.
Vulnerability
The plugin contains a Local File Inclusion vulnerability (CWE-98) due to improper control of filenames in include/require statements. Exploitation requires the attacker to have at least low-level (authenticated) access to the WordPress site.
Business impact
An attacker successfully exploiting this vulnerability can read sensitive system files or execute arbitrary PHP code on the server. This could lead to a full site takeover, database compromise, and the potential for further lateral movement within the hosting environment, justifying the 8.8 CVSS score.
Remediation
Immediate Action: Update the RTMKit plugin to version 2.0.3 or later immediately to address the underlying file inclusion flaw.
Proactive Monitoring: Audit WordPress user accounts for suspicious activity and monitor server access logs for requests attempting to access sensitive files or unexpected file paths.
Compensating Controls: Utilize a Web Application Firewall (WAF) with rules configured to block common LFI patterns and directory traversal attempts.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Administrators should update the RTMKit plugin immediately. Furthermore, ensure that user registration and access control policies are strictly enforced to prevent unauthorized users from reaching the vulnerable function.