Does RTMKit have any unpatched vulnerabilities?

No. All known vulnerabilities in RTMKit have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is RTMKit compatible with WordPress 6.9.4?

According to WordPress.org data, RTMKit 2.0.4 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is RTMKit compatible with PHP 8.2+?

RTMKit requires PHP 8.2 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is RTMKit updated?

RTMKit was last updated on Mar 13, 2026. Frequent updates are generally a positive security signal.

What is RTMKit's security score?

RTMKit has a WP-Safety security score of 89/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

RTMKit Security & Risk Analysis

wordpress.org/plugins/rometheme-for-elementor

All-in-one toolkit for Elementor: advanced addons, theme builder, forms, icons & templates to build stunning sites fast and easy.

50K active installs v2.0.4 PHP 8.2+ WP 6.8+ Updated Mar 13, 2026

elementorelementor-addonselementor-templateselementor-widgetselementor-woocommerce

A · Safe

CVEs total12

Unpatched0

Last CVEMar 10, 2026

Download

Safety Verdict

Is RTMKit Safe to Use in 2026?

Generally Safe

Score 89/100

RTMKit has a strong security track record. Known vulnerabilities have been patched promptly.

12 known CVEsLast CVE: Mar 10, 2026Updated 21d ago

Risk Assessment

The plugin exhibits a mixed security posture. While it shows strengths in using prepared statements for SQL queries and a high percentage of properly escaped output, significant concerns arise from its attack surface and historical vulnerability patterns.

The static analysis reveals a considerable attack surface with 34 AJAX handlers, one of which lacks authentication checks. This unprotected entry point is a critical vulnerability that could allow unauthorized actions. Furthermore, six taint analysis flows with unsanitized paths indicate potential injection vulnerabilities, though the severity is not classified as critical or high in this specific analysis.

The plugin's vulnerability history is deeply concerning, with a total of 12 known CVEs, including 2 high and 10 medium severity vulnerabilities. The types of past vulnerabilities, such as Unrestricted Upload, Cross-Site Scripting, Authorization Bypass, Missing Authorization, and Information Exposure, suggest a recurring pattern of insecure coding practices related to input validation, authorization, and secure handling of user-provided data. The fact that there are currently no unpatched CVEs is positive, but the sheer volume and nature of past issues indicate a systemic risk that demands careful attention. The last vulnerability date is in the future, which is unusual but not directly relevant to the current risk assessment.

Key Concerns

AJAX handler without authentication check
Flows with unsanitized paths identified
High number of past high severity CVEs
High number of past medium severity CVEs
Recurring vulnerability types: Unrestricted Upload, XSS, Auth Bypass, Info Expos

Vulnerabilities

RTMKit Security Vulnerabilities

CVEs by Year

3 CVEs in 2024

2024

8 CVEs in 2025

2025

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

High

Medium

12 total CVEs

CVE-2025-12473medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

RTMKit <= 1.6.8 - Reflected Cross-Site Scripting via 'themebuilder' Parameter

Mar 10, 2026 Patched in 2.0.0 (1d)

CVE-2025-8609medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

RTMKit Addons <= 1.6.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Accordion Repeater Block Attribute

Nov 17, 2025 Patched in 1.6.6 (1d)

CVE-2025-62065high · 8.8Unrestricted Upload of File with Dangerous Type

RTMKit <= 1.6.5 - Authenticated (Contributor+) Arbitrary File Upload

Oct 18, 2025 Patched in 1.6.6 (12d)

CVE-2025-49235medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

RTMKit Addons for Elementor <= 1.6.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jun 5, 2025 Patched in 1.6.1 (7d)

CVE-2025-30911high · 8.8Missing Authorization

RomethemeKit For Elementor <= 1.5.4 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation

Mar 27, 2025 Patched in 1.5.5 (8d)

CVE-2025-64283medium · 4.3Authorization Bypass Through User-Controlled Key

RTMKit <= 1.6.7 - Authenticated (Contributor+) Insecure Direct Object Reference

Feb 14, 2025 Patched in 1.6.8 (284d)

CVE-2025-24743medium · 4.3Missing Authorization

RomethemeKit For Elementor <= 1.5.2 - Missing Authorization

Jan 24, 2025 Patched in 1.5.3 (5d)

CVE-2024-10324medium · 4.3Exposure of Sensitive Information Through Metadata

RomethemeKit For Elementor <= 1.5.2 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates

Jan 23, 2025 Patched in 1.5.3 (2d)

CVE-2024-10326medium · 4.3Missing Authorization

RomethemeKit For Elementor <= 1.5.3 - Missing Authorization in save_options and reset_widgets

Jan 14, 2025 Patched in 1.5.4 (54d)

CVE-2024-47626medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

RomethemeKit For Elementor <= 1.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

Sep 30, 2024 Patched in 1.5.1 (11d)

CVE-2024-33919medium · 5.3Missing Authorization

RomethemeKit For Elementor <= 1.4.1 - Missing Authorization

Apr 29, 2024 Patched in 1.4.2 (9d)

CVE-2024-32956medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

RomethemeKit For Elementor <= 1.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Apr 22, 2024 Patched in 1.4.2 (8d)

Code Analysis

Analyzed Mar 16, 2026

RTMKit Code Analysis

Dangerous Functions

Raw SQL Queries

1 prepared

Unescaped Output

138

2162 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Select2

SQL Query Safety

100% prepared1 total queries

Output Escaping

94% escaped2300 total outputs

Data Flows

6 unsanitized

Data Flow Analysis

19 flows6 with unsanitized paths

download_template (Inc\Modules\Templatekits\TemplatekitAPI.php:180)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

RTMKit Attack Surface

Entry Points34

Unprotected1

AJAX Handlers 34

authwp_ajax_get_sidebar_contentInc\Core\PluginApi.php:29

authwp_ajax_get_contentInc\Core\PluginApi.php:30

authwp_ajax_set_global_siteInc\Core\PluginApi.php:31

authwp_ajax_save_extensionsInc\Modules\Extensions\ExtensionStorage.php:20

authwp_ajax_fetch_layout_libInc\Modules\Helper\EditorCanvas.php:23

authwp_ajax_fetch_libInc\Modules\Helper\EditorCanvas.php:24

authwp_ajax_template_categoryInc\Modules\Helper\EditorCanvas.php:25

authwp_ajax_get_installed_templatesInc\Modules\Helper\EditorCanvas.php:26

authwp_ajax_get_installed_templateInc\Modules\Helper\EditorCanvas.php:27

authwp_ajax_get_template_contentInc\Modules\Helper\EditorCanvas.php:28

authwp_ajax_is_pro_activeInc\Modules\Helper\EditorCanvas.php:29

authwp_ajax_plugin_status_checkInc\Modules\SetupWizard\SetupWizardApi.php:21

authwp_ajax_newsletter_subscribeInc\Modules\SetupWizard\SetupWizardApi.php:22

authwp_ajax_rtm_wizard_finishInc\Modules\SetupWizard\SetupWizardApi.php:23

authwp_ajax_save_modulesInc\Modules\Storage.php:20

authwp_ajax_reset_modulesInc\Modules\Storage.php:21

authwp_ajax_get_specific_postsInc\Modules\Storage.php:22

authwp_ajax_get_submission_contentInc\Modules\Submission\SubmissionModule.php:22

authwp_ajax_render_templatesInc\Modules\Templatekits\TemplatekitAPI.php:22

authwp_ajax_download_templateInc\Modules\Templatekits\TemplatekitAPI.php:23

authwp_ajax_upload_templateInc\Modules\Templatekits\TemplatekitAPI.php:24

authwp_ajax_delete_templateInc\Modules\Templatekits\TemplatekitAPI.php:25

authwp_ajax_import_templateInc\Modules\Templatekits\TemplatekitAPI.php:26

authwp_ajax_send_themeforest_statsInc\Modules\Templatekits\TemplatekitAPI.php:27

authwp_ajax_delete_installed_templateInc\Modules\Templatekits\TemplatekitAPI.php:28

authwp_ajax_get_themebuilder_tableInc\Modules\Themebuilder\ThemebuilderAPI.php:20

authwp_ajax_add_themebuilderInc\Modules\Themebuilder\ThemebuilderAPI.php:21

authwp_ajax_edit_themebuilderInc\Modules\Themebuilder\ThemebuilderAPI.php:22

authwp_ajax_install_requirementsInc\Modules\Themebuilder\ThemebuilderAPI.php:23

authwp_ajax_update_pluginInc\Modules\Update\UpdateAPI.php:22

authwp_ajax_rollback_pluginInc\Modules\Update\UpdateAPI.php:23

authwp_ajax_get_update_contentInc\Modules\Update\UpdateAPI.php:24

authwp_ajax_save_widgetInc\Modules\Widgets\WidgetStorage.php:21

authwp_ajax_reset_all_widgetsInc\Modules\Widgets\WidgetStorage.php:22

WordPress Hooks 69

actionadmin_page_access_deniedInc\Core\Plugin.php:106

actionupgrader_process_completeInc\Core\Plugin.php:107

actionadmin_initInc\Core\Plugin.php:127

actionrtmkit_loadedInc\Core\Plugin.php:208

actionadmin_enqueue_scriptsInc\Core\Plugin.php:209

actionwp_enqueue_scriptsInc\Core\Plugin.php:213

actionelementor/editor/after_enqueue_scriptsInc\Core\Plugin.php:229

filteradmin_footer_textInc\Core\Plugin.php:230

filterupdate_footerInc\Core\Plugin.php:245

filterelementor/frontend/container/should_renderInc\Elements\NestedElementExample.php:1141

filterwoocommerce_product_get_rating_htmlInc\Elements\WooProductGrid.php:1889

actionelementor/element/common/_section_style/after_section_endInc\Extensions\BlurEffects.php:9

actionelementor/element/container/section_layout/after_section_endInc\Extensions\BlurEffects.php:12

actionwp_enqueue_scriptsInc\Extensions\BlurEffects.php:13

actionadmin_action_rkit_duplicate_postInc\Extensions\RkitDuplicator.php:11

filterpost_row_actionsInc\Extensions\RkitDuplicator.php:12

filterpage_row_actionsInc\Extensions\RkitDuplicator.php:13

actionelementor/element/common/_section_style/after_section_endInc\Extensions\RkitToolTips.php:19

actionelementor/element/container/section_layout/after_section_endInc\Extensions\RkitToolTips.php:20

actionelementor/frontend/after_enqueue_stylesInc\Extensions\RkitToolTips.php:29

actionelementor/editor/after_enqueue_stylesInc\Extensions\RkitToolTips.php:30

actionadmin_enqueue_scriptsInc\Extensions\RkitToolTips.php:33

actionelementor/element/common/_section_style/after_section_endInc\Extensions\RkitWrapperLink.php:10

actionelementor/element/container/section_layout/after_section_endInc\Extensions\RkitWrapperLink.php:11

actionelementor/frontend/container/before_renderInc\Extensions\RkitWrapperLink.php:14

actionelementor/frontend/widget/before_renderInc\Extensions\RkitWrapperLink.php:45

actionelementor/frontend/widget/after_renderInc\Extensions\RkitWrapperLink.php:56

actionwp_enqueue_scriptsInc\Extensions\RkitWrapperLink.php:64

actionrtmkit_register_extensionInc\Modules\Extensions\ExtensionStorage.php:22

actionadmin_initInc\Modules\Helper\Banner.php:9

actionadmin_headInc\Modules\Helper\Banner.php:27

actionadmin_noticesInc\Modules\Helper\Banner.php:29

actionelementor/preview/enqueue_stylesInc\Modules\Helper\EditorCanvas.php:18

actionelementor/editor/after_enqueue_stylesInc\Modules\Helper\EditorCanvas.php:19

actionelementor/editor/before_enqueue_scriptsInc\Modules\Helper\EditorCanvas.php:20

actionelementor/editor/footerInc\Modules\Helper\EditorCanvas.php:21

actionelementor/editor/before_enqueue_scriptsInc\Modules\Helper\SavedTemplateEditor.php:10

actionelementor/editor/after_enqueue_stylesInc\Modules\Helper\SavedTemplateEditor.php:11

actionelementor/preview/enqueue_stylesInc\Modules\Helper\SavedTemplateEditor.php:12

actionadmin_menuInc\Modules\Menu.php:25

actionadmin_enqueue_scriptsInc\Modules\Menu.php:26

actionadmin_bar_menuInc\Modules\Menu.php:27

actionadmin_enqueue_scriptsInc\Modules\Menu.php:28

actionadmin_footerInc\Modules\Menu.php:29

actionwp_enqueue_scriptsInc\Modules\Menu.php:30

actionwp_footerInc\Modules\Menu.php:31

actionelementor/editor/before_enqueue_stylesInc\Modules\RTMIcons\RTMIconsModule.php:10

actionelementor/icons_manager/additional_tabsInc\Modules\RTMIcons\RTMIconsModule.php:14

actionadmin_menuInc\Modules\SetupWizard\SetupWizardModule.php:9

actionadmin_initInc\Modules\SetupWizard\SetupWizardModule.php:10

actionadmin_enqueue_scriptsInc\Modules\SetupWizard\SetupWizardModule.php:11

actioninitInc\Modules\Templatekits\TemplatekitModule.php:24

actioninitInc\Modules\Themebuilder\ThemebuilderModule.php:21

filtersingle_templateInc\Modules\Themebuilder\ThemebuilderModule.php:24

actionelementor/elements/categories_registeredInc\Modules\Widgets\WidgetModule.php:20

actionwp_enqueue_scriptsInc\Modules\Widgets\WidgetModule.php:21

actionelementor/editor/before_enqueue_scriptsInc\Modules\Widgets\WidgetModule.php:22

actionelementor/widgets/registerInc\Modules\Widgets\WidgetStorage.php:24

actiontemplate_redirectInc\Themebuilder\HeaderFooter.php:23

actionget_headerInc\Themebuilder\HeaderFooter.php:29

actionromethemekit_headerInc\Themebuilder\HeaderFooter.php:30

actionget_footerInc\Themebuilder\HeaderFooter.php:33

actionromethemekit_footerInc\Themebuilder\HeaderFooter.php:34

filtertemplate_includeInc\Themebuilder\SinglePost.php:18

actionrmtkit/render_single_templateInc\Themebuilder\SinglePost.php:19

filterthe_contentInc\Themebuilder\SinglePost.php:66

actionplugins_loadedRomeTheme.php:36

actioninitRomeTheme.php:47

actionadmin_noticesRomeTheme.php:52

Maintenance & Trust

RTMKit Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 13, 2026

PHP min version8.2

Downloads349K

Community Trust

Rating58/100

Number of ratings12

Active installs50K

Alternatives

RTMKit Alternatives

Essential Addons for Elementor – Popular Elementor Templates & Widgets

essential-addons-for-elementor-lite

Elementor addon offering 110+ widgets and templates — Elementor Gallery, Slider, Form, Post Grid, Menu, Accordion, WooCommerce & more.

2.0M 56 CVEs

Turbo Addons Elementor

turbo-addons-elementor

Turbo Addons for Elementor offers advanced widgets to enhance Elementor, helping you create professional, interactive websites easily and quickly.

1K 1 CVE

Essential Classy Addons – Widgets & Templates for Elementor

essential-classy-addons-for-elementor

100

Post Grid, Woocommerce builder Widgets. Slider, Carousel, Testimonial.A lightweight collection of ready-to-use widgets, templates, and extensions.

500 No CVEs

Selleradise Elements – Elementor Addons

selleradise-widgets

100

Selleradise Elements adds powerful Elementor widgets and WooCommerce integrations for beautiful, conversion-focused sites.

40 No CVEs

Premium Addons for Elementor – Powerful Elementor Templates & Widgets

premium-addons-for-elementor

Elementor Carousel, Mega Menu, Posts List/Slider, Media Gallery, WooCommerce Widgets, Display Conditions, Premade Templates & more.

700K 35 CVEs

Developer Profile

RTMKit Developer Profile

Rometheme

2 plugins · 80K total installs

trust score

Avg Security Score

94/100

Avg Patch Time

34 days

View full developer profile

Detection Fingerprints

How We Detect RTMKit

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/rometheme-for-elementor/assets/css/rtmkit.css/wp-content/plugins/rometheme-for-elementor/assets/js/rtmkit.js/wp-content/plugins/rometheme-for-elementor/assets/css/rtmkit-icons.css

Script Paths

/wp-content/plugins/rometheme-for-elementor/assets/js/rtmkit.js

Version Parameters

rometheme-for-elementor/assets/css/rtmkit.css?ver=rometheme-for-elementor/assets/js/rtmkit.js?ver=rometheme-for-elementor/assets/css/rtmkit-icons.css?ver=

HTML / DOM Fingerprints

CSS Classes

rtmkit-addonrtmkit-modulertmkit-setup-wizard

Data Attributes

data-rtmkit-id

JS Globals

RTMKit

FAQ