RTMKit <= 2.0.7 - Authenticated (Contributor+) Limited Local File Inclusion via 'template' Parameter
Strategic Overview
Vulnerability Overview
The RTMKit (rometheme-for-elementor) plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.7 This is due to insufficient path validation on the 'template' parameter in the render_templates AJAX endpoint, which is used directly in a require/include statement without sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute files on the server ending in _templates.php, allowing the execution of any PHP code in those files.
Technical Analysis
REMEDIATION: Update to version 2.0.8, or a newer patched version --- IDENTIFIER: CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')) The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in require, include, or similar functions.
External References
Vulnerability data © Defiant, Inc., provided under the Wordfence Intelligence T&C