Impact
The RTMKit plugin for WordPress allows an authenticated user with Contributor level or higher to request the render_templates AJAX endpoint and supply a raw "template" parameter. The plugin concatenates the supplied value directly into a require/include statement without path validation, which permits inclusion of files whose names end in _templates.php. If such a file exists, the server executes its PHP code, effectively granting an attacker the ability to run arbitrary PHP code on the same privileges as the web server.
Affected Systems
The affected component is the RTMKit (rometheme‑for‑elementor) plugin for WordPress, versions up to and including 2.0.7. Any WordPress site using these plugin versions is vulnerable.
Risk and Exploitability
The CVSS score of 4.3 indicates a moderate impact, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker first authenticate to the WordPress site with at least Contributor privileges; unauthenticated users cannot trigger the flaw. Consequently, the likelihood of exploitation depends on credential compromise or misconfigured user roles, making the overall risk moderate to low in environments with strict access controls.
OpenCVE Enrichment