CVE-2026-12907
CVE-2026-12907 affects the RTMKit WordPress plugin prior to 2.0.9. The root cause is a missing capability check on a -builder AJAX action, allowing users with at least the Author role to create and activate a site-wide template that can override header, footer, or other global areas served to all...