Impact
The RTMKit WordPress plugin contains a stored cross‑site scripting flaw in the Advanced Heading widget’s ‘Background Text’ parameter. When a user with contributor‑level access or higher supplies malicious input, the value is concatenated directly into an HTML attribute without escaping, allowing the injection of arbitrary JavaScript that will run whenever a page containing the widget is viewed.
Affected Systems
WordPress sites that have the RTMKit plugin installed in any version up to and including 2.0.7 and that use the Advanced Heading widget are affected. The flaw is present in all releases of RTMKit from the vendor rometheme through version 2.0.7.
Risk and Exploitability
The CVSS score of 6.4 indicates a moderate severity flaw. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated and possess contributor or higher privileges to modify the widget and insert malicious code, after which the injected script will execute for each site visitor that loads the affected page.
OpenCVE Enrichment