CVE-2026-8351 RTMKit <= 2.0.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Advanced Heading Widget 'Background Text' Parameter
The RTMKit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Advanced Heading widget's 'Background Text' parameter in versions up to, and including, 2.0.7 This is due to insufficient output escaping on the 'backgroundtextheading' setting in the render function, which...