Description
The RTMKit (rometheme-for-elementor) plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.7 This is due to insufficient path validation on the 'template' parameter in the render_templates AJAX endpoint, which is used directly in a require/include statement without sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute files on the server ending in _templates.php, allowing the execution of any PHP code in those files.
Published: 2026-07-03
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The RTMKit plugin for WordPress allows an authenticated user with Contributor level or higher to request the render_templates AJAX endpoint and supply a raw "template" parameter. The plugin concatenates the supplied value directly into a require/include statement without path validation, which permits inclusion of files whose names end in _templates.php. If such a file exists, the server executes its PHP code, effectively granting an attacker the ability to run arbitrary PHP code on the same privileges as the web server.

Affected Systems

The affected component is the RTMKit (rometheme‑for‑elementor) plugin for WordPress, versions up to and including 2.0.7. Any WordPress site using these plugin versions is vulnerable.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate impact, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that the attacker first authenticate to the WordPress site with at least Contributor privileges; unauthenticated users cannot trigger the flaw. Consequently, the likelihood of exploitation depends on credential compromise or misconfigured user roles, making the overall risk moderate to low in environments with strict access controls.

Generated by OpenCVE AI on July 3, 2026 at 20:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update RTMKit to version 2.0.8 or newer to remove the vulnerable render_templates endpoint
  • Ensure that users with Contributor or higher privileges are legitimate and monitored, or lock down those roles if not required
  • Disable the render_templates AJAX endpoint if it is not needed or restrict its access to trusted IP addresses

Generated by OpenCVE AI on July 3, 2026 at 20:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Rometheme
Rometheme rtmkit
Wordpress
Wordpress wordpress
Vendors & Products Rometheme
Rometheme rtmkit
Wordpress
Wordpress wordpress

Fri, 03 Jul 2026 10:00:00 +0000

Type Values Removed Values Added
Description The RTMKit (rometheme-for-elementor) plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.7 This is due to insufficient path validation on the 'template' parameter in the render_templates AJAX endpoint, which is used directly in a require/include statement without sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute files on the server ending in _templates.php, allowing the execution of any PHP code in those files.
Title RTMKit <= 2.0.7 - Authenticated (Contributor+) Limited Local File Inclusion via 'template' Parameter
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}


Subscriptions

Rometheme Rtmkit
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-03T09:31:52.399Z

Reserved: 2026-03-30T10:48:18.196Z

Link: CVE-2026-5137

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T20:45:16Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')