The RTMKit (rometheme-for-elementor) plugin for WordPress...
Moderate severity
Unreviewed
Published
Jul 3, 2026
to the GitHub Advisory Database
•
Updated Jul 3, 2026
Description
Published by the National Vulnerability Database
Jul 3, 2026
Published to the GitHub Advisory Database
Jul 3, 2026
Last updated
Jul 3, 2026
The RTMKit (rometheme-for-elementor) plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.7 This is due to insufficient path validation on the 'template' parameter in the render_templates AJAX endpoint, which is used directly in a require/include statement without sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute files on the server ending in _templates.php, allowing the execution of any PHP code in those files.
References