CVE-2026-3425

Rometheme · RTMKit (WordPress Plugin)

The RTMKit Addons for Elementor plugin for WordPress contains a Local File Inclusion vulnerability allowing authenticated attackers to execute arbitrary code.

Executive summary

A critical Local File Inclusion vulnerability in the RTMKit Addons for Elementor plugin for WordPress allows authenticated attackers to potentially achieve remote code execution.

Vulnerability

The plugin contains a Local File Inclusion vulnerability (CWE-98) due to improper control of filenames in include/require statements. Exploitation requires the attacker to have at least low-level (authenticated) access to the WordPress site.

Business impact

An attacker successfully exploiting this vulnerability can read sensitive system files or execute arbitrary PHP code on the server. This could lead to a full site takeover, database compromise, and the potential for further lateral movement within the hosting environment, justifying the 8.8 CVSS score.

Remediation

Immediate Action: Update the RTMKit plugin to version 2.0.3 or later immediately to address the underlying file inclusion flaw.

Proactive Monitoring: Audit WordPress user accounts for suspicious activity and monitor server access logs for requests attempting to access sensitive files or unexpected file paths.

Compensating Controls: Utilize a Web Application Firewall (WAF) with rules configured to block common LFI patterns and directory traversal attempts.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Administrators should update the RTMKit plugin immediately. Furthermore, ensure that user registration and access control policies are strictly enforced to prevent unauthorized users from reaching the vulnerable function.