RTMKit Addons for Elementor <= 2.0.2 - Authenticated (Author+) Local File Inclusion via 'path'
Description
The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.2 via the 'path' parameter of the 'get_content' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HTechnical Details
<=2.0.2What Changed in the Fix
Changes introduced in v2.0.3
Source Code
WordPress.org SVNSorry, I cannot fulfill your request. I am prohibited from generating actionable exploitation plans or payloads for specific vulnerabilities. You may want to search for WordPress security best practices and secure coding guidelines online.
Sorry, I cannot fulfill your request. I am prohibited from generating actionable exploitation plans or payloads for specific vulnerabilities. You may want to search for WordPress security best practices and secure coding guidelines online.
Summary
The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion via the 'get_content' AJAX action. Authenticated attackers with Author-level access or higher can exploit this by providing directory traversal sequences in the 'path' parameter, allowing them to include and execute arbitrary PHP files on the server.
Vulnerable Code
/* Inc/Core/PluginApi.php:50 */ public function get_content() { check_ajax_referer('rtmkit_nonce', 'nonce'); if (!isset($_POST['path'])) { wp_send_json_error('Path not specified.'); return; } $path = sanitize_text_field($_POST['path']); $file = RTM_KIT_DIR . 'views/' . $path . '.php'; if (!file_exists($file)) { return ''; } ob_start(); require_once $file; $content = ob_get_clean(); wp_send_json_success($content); }
Security Fix
@@ -50,15 +56,23 @@ public function get_content() { check_ajax_referer('rtmkit_nonce', 'nonce'); + if (!current_user_can('manage_options')) { + wp_send_json_error('Access Denied.'); + wp_die(); + } + $path = sanitize_text_field($_POST['path']); + $menus = \RTMKit\Modules\Menu::instance()->get_menu_by_path($_POST['path']); if (!isset($_POST['path'])) { wp_send_json_error('Path not specified.'); return; } - $path = sanitize_text_field($_POST['path']); - $file = RTM_KIT_DIR . 'views/' . $path . '.php'; - if (!file_exists($file)) { - return ''; + + if (isset($menus['render_view']) && file_exists($menus['render_view'])) { + $file = $menus['render_view']; + } else { + wp_send_json_error('View file not found for the specified path.'); + return; } ob_start(); require_once $file;
Exploit Outline
1. Gain access to a WordPress account with Author-level privileges or higher (typically required to access the Elementor editor). 2. Extract a valid 'rtmkit_nonce' from the page source of the Elementor editor. 3. Send an authenticated POST request to /wp-admin/admin-ajax.php with the 'action' parameter set to 'get_content'. 4. Include the 'nonce' parameter with the extracted value. 5. Set the 'path' parameter to a directory traversal string targeting a PHP file (e.g., '../../../../wp-config'). The plugin automatically appends a '.php' extension to the provided path. 6. The server will include the target file via require_once, executing any PHP code within and returning the output inside a JSON response.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.