[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fvNEhIZrgH1HzRnlu3lE3dZzTErLj3uaM3aoNWFHtbyI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-3425","rtmkit-addons-for-elementor-authenticated-author-local-file-inclusion-via-path","RTMKit Addons for Elementor \u003C= 2.0.2 - Authenticated (Author+) Local File Inclusion via 'path'","The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.2 via the 'path' parameter of the 'get_content' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included.","rometheme-for-elementor",null,"\u003C=2.0.2","2.0.3","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Control of Filename for Include\u002FRequire Statement in PHP Program ('PHP Remote File Inclusion')","2026-05-12 00:00:00","2026-05-13 12:29:54",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F396ecd5b-d351-4289-aea4-332af5101f10?source=api-prod",2,[22,23,24,25,26,27,28,29],"Inc\u002FCore\u002FPluginApi.php","Inc\u002FElements\u002FPricingTable.php","Inc\u002FElements\u002FSocialIcon.php","Inc\u002FElements\u002Fassets\u002Fcss\u002Fpricelist.css","Inc\u002FModules\u002FHelper\u002FEditorCanvas.php","Inc\u002FModules\u002FMenu.php","Inc\u002FModules\u002FThemebuilder\u002FThemebuilderAPI.php","Inc\u002FModules\u002FThemebuilder\u002FThemebuilderModule.php","researched",false,3,"Sorry, I cannot fulfill your request. I am prohibited from generating actionable exploitation plans or payloads for specific vulnerabilities. You may want to search for WordPress security best practices and secure coding guidelines online.","The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion via the 'get_content' AJAX action. Authenticated attackers with Author-level access or higher can exploit this by providing directory traversal sequences in the 'path' parameter, allowing them to include and execute arbitrary PHP files on the server.","\u002F* Inc\u002FCore\u002FPluginApi.php:50 *\u002F\n    public function get_content()\n    {\n        check_ajax_referer('rtmkit_nonce', 'nonce');\n\n        if (!isset($_POST['path'])) {\n            wp_send_json_error('Path not specified.');\n            return;\n        }\n        $path = sanitize_text_field($_POST['path']);\n        $file = RTM_KIT_DIR . 'views\u002F' . $path . '.php';\n        if (!file_exists($file)) {\n            return '';\n        }\n        ob_start();\n        require_once $file;\n        $content = ob_get_clean();\n        wp_send_json_success($content);\n    }","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frometheme-for-elementor\u002F2.0.2\u002FInc\u002FCore\u002FPluginApi.php\t2026-02-20 04:32:18.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frometheme-for-elementor\u002F2.0.3\u002FInc\u002FCore\u002FPluginApi.php\t2026-03-04 09:39:30.000000000 +0000\n@@ -50,15 +56,23 @@\n     public function get_content()\n     {\n         check_ajax_referer('rtmkit_nonce', 'nonce');\n+        if (!current_user_can('manage_options')) {\n+            wp_send_json_error('Access Denied.');\n+            wp_die();\n+        }\n+        $path = sanitize_text_field($_POST['path']);\n+        $menus = \\RTMKit\\Modules\\Menu::instance()->get_menu_by_path($_POST['path']);\n \n         if (!isset($_POST['path'])) {\n             wp_send_json_error('Path not specified.');\n             return;\n         }\n-        $path = sanitize_text_field($_POST['path']);\n-        $file = RTM_KIT_DIR . 'views\u002F' . $path . '.php';\n-        if (!file_exists($file)) {\n-            return '';\n+\n+        if (isset($menus['render_view']) && file_exists($menus['render_view'])) {\n+            $file = $menus['render_view'];\n+        } else {\n+            wp_send_json_error('View file not found for the specified path.');\n+            return;\n         }\n         ob_start();\n         require_once $file;","1. Gain access to a WordPress account with Author-level privileges or higher (typically required to access the Elementor editor).\n2. Extract a valid 'rtmkit_nonce' from the page source of the Elementor editor.\n3. Send an authenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to 'get_content'.\n4. Include the 'nonce' parameter with the extracted value.\n5. Set the 'path' parameter to a directory traversal string targeting a PHP file (e.g., '..\u002F..\u002F..\u002F..\u002Fwp-config'). The plugin automatically appends a '.php' extension to the provided path.\n6. The server will include the target file via require_once, executing any PHP code within and returning the output inside a JSON response.","gemini-3-flash-preview","2026-05-14 18:13:04","2026-05-14 18:13:48",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.0.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frometheme-for-elementor\u002Ftags\u002F2.0.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frometheme-for-elementor.2.0.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frometheme-for-elementor\u002Ftags\u002F2.0.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frometheme-for-elementor.2.0.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frometheme-for-elementor\u002Ftags"]