WordPress Plugin Vulnerabilities

RTMKit Addons for Elementor < 2.0.9 - Author+ Site-Wide Theme Builder Template Creation and Activation

Description

The plugin does not perform a proper capability check on one of its theme-builder AJAX actions, allowing users with at least the Author role to create and activate a site-wide template that overrides the header, footer or other global areas displayed to all visitors, which is normally restricted to administrators.

Proof of Concept

Affects Plugins

References

Classification

Type
NO AUTHORISATION
CWE
CVSS

Miscellaneous

Original Researcher
Meher Sudhakar Abbireddi
Submitter
Meher Sudhakar Abbireddi
Verified
Yes

Timeline

Publicly Published
2026-06-25 (about 21 days ago)
Added
2026-06-25 (about 20 days ago)
Last Updated
2026-06-25 (about 20 days ago)

Other