The RTMKit (rometheme-for-elementor) plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.7 This is due to insufficient path validation on the 'template' parameter in the render_templates AJAX endpoint, which is used directly in a require/include statement without sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute files on the server ending in _templates.php, allowing the execution of any PHP code in those files.
Metrics
Affected Vendors & Products
References
History
Fri, 03 Jul 2026 12:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Rometheme
Rometheme rtmkit Wordpress Wordpress wordpress |
|
| Vendors & Products |
Rometheme
Rometheme rtmkit Wordpress Wordpress wordpress |
Fri, 03 Jul 2026 10:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The RTMKit (rometheme-for-elementor) plugin for WordPress is vulnerable to Local File Inclusion in versions up to, and including, 2.0.7 This is due to insufficient path validation on the 'template' parameter in the render_templates AJAX endpoint, which is used directly in a require/include statement without sanitization. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute files on the server ending in _templates.php, allowing the execution of any PHP code in those files. | |
| Title | RTMKit <= 2.0.7 - Authenticated (Contributor+) Limited Local File Inclusion via 'template' Parameter | |
| Weaknesses | CWE-98 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-07-03T09:31:52.399Z
Reserved: 2026-03-30T10:48:18.196Z
Link: CVE-2026-5137
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-03T11:45:05Z