CVE-2026-5149 - Vulnerability Details

- RTMKit <= 2.0.7 - Authenticated (Contributor+) Missing Authorization to Arbitrary Form Submission Access via 'entries_id' Parameter

Description

The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the get_submission_content AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it possible for authenticated attackers, with Contributor-level access and above, to view arbitrary form submissions from other users by iterating the entries_id parameter.

Published: 2026-06-16

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The RTMKit WordPress plugin contains a flaw where the get_submission_content AJAX endpoint does not verify that the user has permission to access a requested form submission. This missing authorization check allows an authenticated attacker with Contributor-level access or higher to submit an entries_id parameter and retrieve the content of any form submission stored by the site. The result is the disclosure of private form responses, a clear breach of confidentiality and a potential source of personal data exposure.

Affected Systems

All WordPress sites that have installed Rometheme’s RTMKit plugin in any release up to and including 2.0.7 are affected. Any site hosting the plugin in these versions can be impacted by this authorization bypass.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity, while the EPSS score of less than 1% shows a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, so no known active exploitation campaigns have been reported. Attackers must first have valid credentials with Contributor-level or higher privileges. The impact is confined to users who already possess these roles; however, if a site grants Contributor privileges broadly or if those accounts are compromised, the attack surface could increase. An exploit would involve crafting an authenticated AJAX request with a carefully chosen entries_id to enumerate other users’ submissions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

rometheme

RTMKit

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.0.7

No data.

Vendor Product Confidence Versions

Rometheme

Rtmkit

100%

Version	Status	Scheme	Platform
`[0,2.0.7]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade RTMKit to the newest available version (any release newer than 2.0.7, such as 2.0.8 or later) to apply the patch suggested by the changeset history.
If an upgrade cannot be performed immediately, modify the get_submission_content AJAX handler to perform a capability check such as current_user_can('edit_posts') or otherwise restrict access to only Administrators. This can be implemented by adding an explicit permission check before returning the submission data or by removing the AJAX action for non-Administrator users.
Audit the user roles on the site, removing Contributor privileges from accounts that do not require form editing rights, and monitor site logs for anomalous access to form submission endpoints.

Generated by OpenCVE AI on June 18, 2026 at 00:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00238.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/rometheme-for-elementor/trunk/Inc/Modules/Submission/SubmissionModule.php#L22
https://plugins.trac.wordpress.org/browser/rometheme-for-elementor/trunk/Inc/Modules/Submission/SubmissionModule.php#L29
https://plugins.trac.wordpress.org/changeset/3568335/rometheme-for-elementor/trunk/Inc/Modules/Submission/SubmissionModule.php
https://plugins.trac.wordpress.org/changeset?old_path=%2Frometheme-for-elementor/tags/2.0.7&new_path=%2Frometheme-for-elementor/tags/2.0.8
https://www.wordfence.com/threat-intel/vulnerabilities/id/1fe363b2-8c70-45cd-9fdc-8979f894efd8?source=cve

History

Tue, 16 Jun 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 16 Jun 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Rometheme Rometheme rtmkit Wordpress Wordpress wordpress
Vendors & Products		Rometheme Rometheme rtmkit Wordpress Wordpress wordpress

Tue, 16 Jun 2026 06:30:00 +0000

Type	Values Removed	Values Added
Description		The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the get_submission_content AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it possible for authenticated attackers, with Contributor-level access and above, to view arbitrary form submissions from other users by iterating the entries_id parameter.
Title		RTMKit <= 2.0.7 - Authenticated (Contributor+) Missing Authorization to Arbitrary Form Submission Access via 'entries_id' Parameter
Weaknesses		CWE-863
References		https://plugins.trac.wordpress.org/browser/rometheme-for-elementor/trunk/Inc/Modules/Submission/SubmissionModule.php#L22 https://plugins.trac.wordpress.org/browser/rometheme-for-elementor/trunk/Inc/Modules/Submission/SubmissionModule.php#L29 https://plugins.trac.wordpress.org/changeset/3568335/rometheme-for-elementor/trunk/Inc/Modules/Submission/SubmissionModule.php https://plugins.trac.wordpress.org/changeset?old_path=%2Frometheme-for-elementor/tags/2.0.7&new_path=%2Frometheme-for-elementor/tags/2.0.8 https://www.wordfence.com/threat-intel/vulnerabilities/id/1fe363b2-8c70-45cd-9fdc-8979f894efd8?source=cve
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Rometheme Rtmkit

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-06-16T05:33:32.996Z

Updated: 2026-06-16T16:06:14.076Z

Reserved: 2026-03-30T13:24:38.966Z

Link: CVE-2026-5149

Vulnrichment

Updated: 2026-06-16T16:06:09.751Z

NVD

Status : Deferred

Published: 2026-06-16T06:16:58.337

Modified: 2026-06-16T15:22:49.577

Link: CVE-2026-5149

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-18T00:30:14Z

Weaknesses

CWE-863
Incorrect Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object