[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f94SDAzkClsC2bmLofOB0kFpBD6p9EESuX4RJpXVixmg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-5149","rtmkit-authenticated-contributor-missing-authorization-to-arbitrary-form-submission-access-via-entriesid-parameter","RTMKit \u003C= 2.0.7 - Authenticated (Contributor+) Missing Authorization to Arbitrary Form Submission Access via 'entries_id' Parameter","The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the get_submission_content AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it possible for authenticated attackers, with Contributor-level access and above, to view arbitrary form submissions from other users by iterating the entries_id parameter.","rometheme-for-elementor",null,"\u003C=2.0.7","2.0.8","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Incorrect Authorization","2026-06-15 17:15:45","2026-06-16 05:33:33",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1fe363b2-8c70-45cd-9fdc-8979f894efd8?source=api-prod",1,[22,23,24,25,26,27,28,29],"Inc\u002FCore\u002FPlugin.php","Inc\u002FCore\u002FPluginApi.php","Inc\u002FElements\u002FAccordion.php","Inc\u002FElements\u002FAdvancedHeading.php","Inc\u002FElements\u002FAnimatedHeading.php","Inc\u002FElements\u002FBackToTop.php","Inc\u002FElements\u002FBarChart.php","Inc\u002FElements\u002FBlockquote.php","researched",false,3,"This exploitation research plan focuses on **CVE-2026-5149**, an Incorrect Authorization vulnerability in the **RTMKit (RomeThemeKit)** plugin for WordPress.\n\n---\n\n### 1. Vulnerability Summary\nThe RTMKit plugin (versions ≤ 2.0.7) registers an AJAX endpoint `get_submission_content` (likely within the `SubmissionModule`) that is intended to retrieve form submission data. The vulnerability arises because this endpoint fails to perform a capability check (e.g., `current_user_can('manage_options')`) or an ownership check on the requested data. \n\nAuthenticated users with **Contributor-level** permissions or higher can exploit this to view arbitrary form submissions—potentially containing sensitive PII (Personally Identifiable Information)—by iterating through the `entries_id` parameter.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `get_submission_content` (Inferred AJAX action)\n*   **Vulnerable Parameter:** `entries_id`\n*   **Authentication:** Authenticated (Contributor+)\n*   **Required Header:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Nonce Action:** `rtmkit_nonce` (Required by the plugin's API pattern)\n\n### 3. Code Flow\nWhile the specific source for the `SubmissionModule` is truncated, the execution flow is grounded in the provided `PluginApi.php` and `Plugin.php` files:\n\n1.  **Registration:** The `Plugin` class initializes `SubmissionModule` (Line 183 of `Plugin.php`).\n2.  **AJAX Hook:** The module likely registers `wp_ajax_get_submission_content`.\n3.  **Vulnerable Handler:** The handler function (likely `get_submission_content`) is invoked.\n4.  **Insecure Authorization:** Unlike `PluginApi::get_content()` (which checks for `manage_options`), the submission handler fails to verify if the current user should have access to the entry identified by `$_POST['entries_id']`.\n5.  **Data Sink:** The code queries the database for the submission corresponding to the ID and returns the content via `wp_send_json_success()`.\n\n### 4. Nonce Acquisition Strategy\nThe plugin uses a nonce check: `check_ajax_referer('rtmkit_nonce', 'nonce')`. To obtain a valid nonce as a Contributor:\n\n1.  **Identify Trigger:** The nonce is likely localized for the \"System Panel\" or the Form Submission management area in the admin dashboard.\n2.  **Setup Page:** A Contributor can access the WordPress admin dashboard.\n3.  **Extraction:**\n    *   Navigate to the RTMKit dashboard or a page where the plugin's admin scripts are loaded (e.g., `\u002Fwp-admin\u002Fadmin.php?page=rtmkit`).\n    *   Use `browser_eval` to extract the nonce from the localized JavaScript object.\n    *   **Inferred Variable:** Based on the script handle `rtmkit-system-panel`, the variable is likely `rtmkit_panel_vars` or similar.\n    *   **Command:** `browser_eval(\"window.rtmkit_panel_vars?.nonce\")` or search for `rtmkit_nonce` in the global scope.\n\n### 5. Exploitation Strategy\nThe goal is to demonstrate unauthorized access to a form submission created by another user (e.g., an Admin or a public visitor).\n\n**Step 1: Authenticate**\nAuthenticate as a Contributor-level user.\n\n**Step 2: Nonce Retrieval**\nFetch the nonce using the strategy in Section 4.\n\n**Step 3: Data Iteration**\nSend a series of POST requests to retrieve submissions.\n\n*   **Request URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Body:**\n    ```text\n    action=get_submission_content&nonce=[NONCE]&entries_id=[ID]\n    ```\n*   **Example Payload (entries_id=1):**\n    ```text\n    action=get_submission_content&nonce=a1b2c3d4e5&entries_id=1\n    ```\n\n**Step 4: Analyze Response**\nA successful exploit will return a JSON object with `success: true` and the submission data in the `data` field, even if the user is not an admin.\n\n### 6. Test Data Setup\n1.  **Form Creation:** Create a form using the RTMKit Form widget (requires Elementor).\n2.  **Submission:** Submit the form as an unauthenticated visitor or an Admin user with test data (e.g., `email: admin-secret@example.com`).\n3.  **User Creation:** Create a user with the **Contributor** role.\n4.  **Note ID:** Identify the ID of the submission in the database (e.g., via `wp_rtmkit_submissions` table) to target it specifically.\n\n### 7. Expected Results\n*   **Unauthorized Access:** The Contributor receives the full content of the submission (e.g., name, email, message) in the JSON response.\n*   **HTTP 200 OK:** The server returns a successful response instead of an \"Access Denied\" error or 403 status.\n\n### 8. Verification Steps\nAfter the HTTP request, verify the vulnerability using WP-CLI:\n\n1.  **Check Capability:** Verify that the current user lacks the `manage_options` capability:\n    `wp user cap list [CONTRIBUTOR_ID]`\n2.  **Compare Data:** Verify that the data returned in the AJAX response matches the data stored in the database for that `entries_id`:\n    `wp db query \"SELECT * FROM wp_rtmkit_submissions WHERE id = [ID]\"` (Note: Table name is inferred).\n\n### 9. Alternative Approaches\n*   **Direct Parameter Manipulation:** If `entries_id` is not the only parameter, check for `entry_id` or `submission_id`.\n*   **GET Request:** While `check_ajax_referer` usually looks at `$_REQUEST`, try sending the payload via `GET` if `POST` is blocked, as some plugins do not restrict the method.\n*   **ID Brute-forcing:** If a specific ID is unknown, use a loop to iterate IDs from 1 to 500 to discover existing submissions.","The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in versions up to 2.0.7. The 'get_submission_content' AJAX endpoint fails to verify if the requesting user has administrative permissions, allowing authenticated attackers with Contributor-level access to view arbitrary form submissions by iterating the 'entries_id' parameter.","\u002F\u002F Inc\u002FCore\u002FPlugin.php\n\u002F\u002F The plugin initializes the SubmissionModule which handles form data\n$this->modules = [\n    \u002F\u002F ...\n    'submission' => \\RTMKit\\Modules\\Submission\\SubmissionModule::class,\n    \u002F\u002F ...\n];\n\n--- \n\n\u002F\u002F Inferred logic within the SubmissionModule handler for 'get_submission_content'\n\u002F\u002F The vulnerability occurs because the function lacks authorization checks\npublic function get_submission_content() {\n    check_ajax_referer('rtmkit_nonce', 'nonce');\n    \u002F\u002F Missing: if (!current_user_can('manage_options')) { wp_die(); }\n    $id = $_POST['entries_id'];\n    \u002F\u002F ... query database and return submission content\n}","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frometheme-for-elementor\u002F2.0.7\u002FInc\u002FCore\u002FPluginApi.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frometheme-for-elementor\u002F2.0.8\u002FInc\u002FCore\u002FPluginApi.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frometheme-for-elementor\u002F2.0.7\u002FInc\u002FCore\u002FPluginApi.php\t2026-04-20 10:59:40.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Frometheme-for-elementor\u002F2.0.8\u002FInc\u002FCore\u002FPluginApi.php\t2026-06-11 05:50:12.000000000 +0000\n@@ -2,6 +2,8 @@\n \n namespace RTMKit\\Core;\n \n+if (! defined('ABSPATH')) exit;\n+\n class PluginApi\n {\n@@ -55,14 +57,27 @@\n \n     public function get_content()\n     {\n-        check_ajax_referer('rtmkit_nonce', 'nonce');\n+        $nonce = isset($_POST['nonce'])\n+            ? sanitize_text_field(wp_unslash($_POST['nonce']))\n+            : '';\n+\n+        if (! wp_verify_nonce($nonce, 'rtmkit_nonce')) {\n+            die(__('Security check', 'rometheme-for-elementor'));\n+        }\n+        \n+        \u002F\u002F check_ajax_referer('rtmkit_nonce', 'nonce');\n         if (!current_user_can('manage_options')) {\n             wp_send_json_error('Access Denied.');\n             wp_die();\n         }\n-        $path = sanitize_text_field($_POST['path']);\n-        $menus = \\RTMKit\\Modules\\Menu::instance()->get_menu_by_path($_POST['path']);\n \n+        $path = isset($_POST['path'])\n+            ? sanitize_text_field(wp_unslash($_POST['path']))\n+            : '';\n+        \u002F\u002F phpcs:ignore WordPress.Security.NonceVerification.Recommended\n+        $menus = \\RTMKit\\Modules\\Menu::instance()->get_menu_by_path($path);","1. Authenticate to the WordPress dashboard as a user with Contributor-level privileges.\n2. Identify and extract the 'rtmkit_nonce' value, which is commonly localized for scripts in the RTMKit dashboard or system panel.\n3. Construct an AJAX POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' with the following body: 'action=get_submission_content&nonce=[NONCE]&entries_id=[TARGET_ID]'.\n4. Send the request and capture the response. Because the server does not verify administrative capabilities for this action, it will return the full submission data for the specified ID, including any PII submitted via forms.","gemini-3-flash-preview","2026-06-25 23:45:36","2026-06-25 23:46:35",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","2.0.7","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frometheme-for-elementor\u002Ftags\u002F2.0.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frometheme-for-elementor.2.0.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frometheme-for-elementor\u002Ftags\u002F2.0.8","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Frometheme-for-elementor.2.0.8.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Frometheme-for-elementor\u002Ftags"]