The Rometheme RTMKit rometheme-for-elementor plugin allows attackers to inject arbitrary code through improper control of code generation, leading to command injection. A compromised site can execute system commands with the privileges of the web server. This flaw enables full remote code execution, exposing the entire server to compromise and potentially affecting all data stored on the host. The vulnerability is classified as CWE‑94 (Improper Control of Generation of Code).

The flaw occurs in the Rometheme RTMKit plugin for WordPress, affecting all releases 1.5.4 and earlier. WordPress sites that have the RTMKit plugin installed and that allow plugin uploads or activation through the WordPress admin interface are impacted. The issue is present in the entire plugin codebase that handles plugin installation and activation.

The CVSS score of 9.9 indicates a critical security risk. The EPSS score of 2 % suggests that while exploitation probability is not high, it is non‑negligible, and the vulnerability is not yet listed in CISA KEV. The attack vector likely requires administrative privileges to upload or activate a malicious plugin, but if the site improperly allows non‑admin users to install plugins, the barrier lowers. Successful exploitation would grant an attacker complete control over the web server, enabling data theft, defacement, or further infection. Administrators should treat this as an immediate threat.