cleantalk
Vulnerabilities and Security Researches

RomethemeKit For Elementor, CVE-2026-3425

CVE, Research URL

CVE-2026-3425

Home page URL

Security reports for RomethemeKit For Elementor

Application

RomethemeKit For Elementor

Published on
May 13, 2026
Research Description
The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.2 via the 'path' parameter of the 'get_content' AJAX action. This makes it possible for authenticated attackers, with Author-level access and above, to include and execute arbitrary PHP files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where PHP files can be uploaded and included.
Affected versions
max 2.0.3.
Status
vulnerable
Previous vulnerability researches
Advanced Custom Fields: Font Awesome Field (CVE-2025-14983) , Feb 27, 2026
Advanced Custom Fields: Font Awesome Field (CVE-2026-6415) , May 15, 2026
New vulnerability
RomethemeKit For Elementor (CVE-2026-3426) , May 16, 2026
RomethemeKit For Elementor (CVE-2026-3425) , May 16, 2026
Meta Field Block (CVE-2026-6252) , May 16, 2026
Gallery Plugin for WordPress – Envira Photo Gallery (CVE-2026-5361) , May 15, 2026
Database Backup for WordPress (CVE-2026-4029) , May 15, 2026