RTMKit <= 2.0.7 - Authenticated (Contributor+) Limited Local File Inclusion via 'template' Parameter

2026-07-02 21:01
wesley (wcraft)

Strategic Overview

Status
Patched in 2.0.8
Affected PluginRTMKit
Affected Version<= 2.0.7
CVSS4.3Medium
CVECVE-2026-5137
View all RTMKit vulnerabilities

Vulnerability Overview

The RTMKit (rometheme-for-elementor) plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.7 This is due to insufficient path validation on the 'template' parameter in the render_templates AJAX endpoint, which is used directly in a require/include statement without sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute files on the server ending in _templates.php, allowing the execution of any PHP code in those files.

Technical Analysis

REMEDIATION: Update to version 2.0.8, or a newer patched version --- IDENTIFIER: CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')) The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in require, include, or similar functions.

External References

Vulnerability data © Defiant, Inc., provided under the Wordfence Intelligence T&C