Lucene search
K

73 matches found

NVD
NVD
added 2026/07/03 10:16 a.m.8 views

CVE-2026-5137

The RTMKit rometheme-for-elementor plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.7 This is due to insufficient path validation on the 'template' parameter in the rendertemplates AJAX endpoint, which is used directly in a require/include statement...

4.3CVSS0.00266EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/03 9:31 a.m.38 views

CVE-2026-5137 RTMKit <= 2.0.7 - Authenticated (Contributor+) Limited Local File Inclusion via 'template' Parameter

The RTMKit rometheme-for-elementor plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.7 This is due to insufficient path validation on the 'template' parameter in the rendertemplates AJAX endpoint, which is used directly in a require/include statement...

4.3CVSS0.00266EPSS
Exploits0References5
CVE
CVE
added 2026/07/03 9:31 a.m.20 views

CVE-2026-5137

The RTMKit (rometheme-for-elementor) WordPress plugin is affected by a Local File Inclusion in versions up to 2.0.7 due to insufficient path validation on the template parameter in the render_templates AJAX endpoint, which is used directly in a require/include statement without sanitization. Auth...

4.3CVSS6.2AI score0.00266EPSS
Exploits0References5
EUVD
EUVD
added 2026/07/03 9:31 a.m.7 views

EUVD-2026-41528

The RTMKit rometheme-for-elementor plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.7 This is due to insufficient path validation on the 'template' parameter in the rendertemplates AJAX endpoint, which is used directly in a require/include statement...

4.3CVSS6.2AI score0.00266EPSS
Exploits0References5
NVD
NVD
added 2026/07/03 8:16 a.m.6 views

CVE-2026-8351

The RTMKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Heading widget's 'Background Text' parameter in versions up to, and including, 2.0.7 This is due to insufficient output escaping on the 'backgroundtextheading' setting in the render function, which...

6.4CVSS0.00245EPSS
Exploits0References9
Cvelist
Cvelist
added 2026/07/03 6:50 a.m.40 views

CVE-2026-8351 RTMKit <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Heading Widget 'Background Text' Parameter

The RTMKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Heading widget's 'Background Text' parameter in versions up to, and including, 2.0.7 This is due to insufficient output escaping on the 'backgroundtextheading' setting in the render function, which...

6.4CVSS0.00245EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2026/07/03 6:50 a.m.8 views

CVE-2026-8351

The RTMKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Heading widget's 'Background Text' parameter in versions up to, and including, 2.0.7 This is due to insufficient output escaping on the 'backgroundtextheading' setting in the render function, which...

6.4CVSS6.1AI score0.00245EPSS
Exploits0References10
EUVD
EUVD
added 2026/07/03 6:50 a.m.6 views

EUVD-2026-41512

The RTMKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Heading widget's 'Background Text' parameter in versions up to, and including, 2.0.7 This is due to insufficient output escaping on the 'backgroundtextheading' setting in the render function, which...

6.4CVSS6.1AI score0.00245EPSS
Exploits0References9
Patchstack
Patchstack
added 2026/07/02 5:43 p.m.7 views

WordPress RTMKit plugin <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by theviper17y in WordPress Plugin RTMKit versions = 2.0.7...

6.4CVSS5.9AI score0.00245EPSS
Exploits0References1Affected Software1
NVD
NVD
added 2026/06/16 6:16 a.m.14 views

CVE-2026-5149

The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the getsubmissioncontent AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it...

6.5CVSS0.00238EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/16 5:33 a.m.11 views

EUVD-2026-37038

The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the getsubmissioncontent AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it...

6.5CVSS5.4AI score0.00238EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/06/16 5:33 a.m.32 views

CVE-2026-5149 RTMKit <= 2.0.7 - Authenticated (Contributor+) Missing Authorization to Arbitrary Form Submission Access via 'entries_id' Parameter

The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the getsubmissioncontent AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it...

6.5CVSS0.00238EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.18 views

PT-2026-49613

The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the get submission content AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it...

6.5CVSS5.5AI score0.00238EPSS
Exploits0References6
Patchstack
Patchstack
added 2026/06/15 5:15 p.m.8 views

WordPress RTMKit plugin <= 2.0.7 - Authenticated (Contributor+) Missing Authorization to Arbitrary Form Submission Access vulnerability

Authenticated Contributor+ Missing Authorization to Arbitrary Form Submission Access vulnerability discovered by wesley wcraft in WordPress Plugin RTMKit versions = 2.0.7...

6.5CVSS5.3AI score0.00238EPSS
Exploits0References1Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/05 7:37 p.m.9 views

CVE-2026-3426

The RTMKit Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the savewidget and resetallwidgets functions in all versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with Author-lev...

4.3CVSS5.5AI score0.00288EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/06/05 7:21 p.m.10 views

CVE-2026-3425

The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.2 via the 'path' parameter of the 'getcontent' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to include and...

8.8CVSS6.3AI score0.00625EPSS
Exploits0References1
NVD
NVD
added 2026/05/13 1:16 p.m.11 views

CVE-2026-3426

The RTMKit Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the savewidget and resetallwidgets functions in all versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with Author-lev...

4.3CVSS0.00288EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/05/13 12:29 p.m.49 views

CVE-2026-3425 RTMKit Addons for Elementor <= 2.0.2 - Authenticated (Author+) Local File Inclusion via 'path'

The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.2 via the 'path' parameter of the 'getcontent' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to include and...

8.8CVSS0.00625EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/13 12:29 p.m.58 views

CVE-2026-3426 RTMKit Addons for Elementor <= 2.0.2 - Authenticated (Author+) Missing Authorization to Widget Configuration Modification

The RTMKit Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the savewidget and resetallwidgets functions in all versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with Author-lev...

4.3CVSS0.00288EPSS
Exploits0References6
CVE
CVE
added 2026/05/13 12:29 p.m.22 views

CVE-2026-3426

CVE-2026-3426: The RTMKit Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on save_widget() and reset_all_widgets() in all versions up to 2.0.2. This allows authenticated attackers with Author-level access and above to m...

4.3CVSS5.8AI score0.00288EPSS
Exploits0References6
Rows per page
Query Builder