Description
The RTMKit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'themebuilder' parameter in all versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a site administrator into performing an action such as clicking on a link.
Published: 2026-03-11
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The RTMKit WordPress plugin contains a Reflected Cross‑Site Scripting flaw that is triggered by sending the "themebuilder" parameter in any request. The vulnerability arises from insufficient input sanitization and output escaping, which allows an unauthenticated attacker to embed arbitrary JavaScript. If a site administrator inadvertently visits a crafted URL or clicks a malicious link, the malicious script will run in the administrator’s browser and could be used to modify page content or compromise the session.

Affected Systems

All releases of the RTMKit plugin provided by rometheme that are version 1.6.8 or older are affected, as indicated by the vendor’s code repository references.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. The EPSS score is reported as less than 1 %, suggesting a low likelihood of immediate exploitation, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack vector is unauthenticated, remote, web‑based exploitation that requires delivering a crafted request containing a malicious value for the "themebuilder" parameter to an administrator’s browser.

Generated by OpenCVE AI on March 17, 2026 at 16:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check if a newer RTMKit version (e.g., 2.0.0) is available that removes the vulnerability and upgrade if feasible.
  • If an update cannot be applied promptly, disable or remove the themebuilder functionality or uninstall the RTMKit plugin entirely.
  • After applying a fix or disabling the feature, test the site to confirm that requests containing the "themebuilder" parameter no longer produce reflected XSS.

Generated by OpenCVE AI on March 17, 2026 at 16:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Rometheme
Rometheme rtmkit
Wordpress
Wordpress wordpress
Vendors & Products Rometheme
Rometheme rtmkit
Wordpress
Wordpress wordpress

Wed, 11 Mar 2026 02:00:00 +0000

Type Values Removed Values Added
Description The RTMKit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'themebuilder' parameter in all versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a site administrator into performing an action such as clicking on a link.
Title RTMKit <= 1.6.8 - Reflected Cross-Site Scripting via 'themebuilder' Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Rometheme Rtmkit
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-11T15:39:47.393Z

Reserved: 2025-10-29T15:57:04.882Z

Link: CVE-2025-12473

cve-icon Vulnrichment

Updated: 2026-03-11T15:39:37.977Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T02:16:02.437

Modified: 2026-03-11T13:52:47.683

Link: CVE-2025-12473

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:38:22Z

Weaknesses