Security Alert Summary
The RTMKit Addons for Elementor plugin for WordPress contains a Local File Inclusion vulnerability in its AJAX ‘get_content’ action. Authenticated users with Author-level access or higher can supply a crafted ‘path’ parameter to include and execute PHP files on the server, potentially leading to data exposure or code execution.
CVE Details
- CVE ID: CVE-2026-3425
- Affected component: RTMKit Addons for Elementor plugin
- Affected versions: All versions up to and including 2.0.2
- Published: May 13, 2026 1:16 PM
- Last modified: May 13, 2026 2:43 PM
- CVSS v3.1: Base Score 8.8, Severity HIGH, Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Authentication & privileges: Authentication required; privileges required: Low (Author-level access or above); user interaction: None
- Primary impact: Confidentiality: High; Integrity: High; Availability: High
- Weakness: CWE-98 (Improper Control of Filename for Include/Require)
Technical Details
The vulnerability is a Local File Inclusion (LFI) reachable via the ‘path’ parameter of the ‘get_content’ AJAX action. Because the plugin accepts the supplied path without sufficient validation or access checks, an authenticated attacker with Author-level privileges can cause the application to include local files. If PHP files are present or can be uploaded to the server, those files may be executed, allowing an attacker to run arbitrary PHP code, bypass access controls, or read sensitive files.
How This Could Impact Your Website
Consider a site where the site owner manages content, internal staff members have Editor or Author roles, and external contractors upload media or templates. An attacker who gains or already holds an Author account could use the vulnerable AJAX action to include PHP files and execute code on the server or expose sensitive site data. Practical consequences include exposure of internal user email addresses and other sensitive files, and an increased risk of targeted phishing or social engineering against staff and contractors. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially Contributor and Author accounts.
- Enforce strong passwords and two-factor authentication for Editors and Administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and logs for unusual behavior, including unexpected file uploads and AJAX requests to plugin endpoints.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
