cleantalk
Vulnerabilities and Security Researches

RomethemeKit For Elementor, CVE-2025-12473

CVE, Research URL

CVE-2025-12473

Home page URL

Security reports for RomethemeKit For Elementor

Application

RomethemeKit For Elementor

Published on
Mar 11, 2026
Research Description
The RTMKit plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'themebuilder' parameter in all versions up to, and including, 1.6.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a site administrator into performing an action such as clicking on a link.
Affected versions
max 1.6.8.
Status
vulnerable
Previous vulnerability researches
Additional Custom Product Tabs for WooCommerce (CVE-2025-58985) , Sep 10, 2025
Additional Custom Product Tabs for WooCommerce (CVE-2025-26749) , Apr 15, 2025
Custom Product Tabs For WooCommerce (CVE-2024-12721) , Dec 22, 2024
New vulnerability
Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms (CVE-2026-25430) , Mar 29, 2026
Co-Authors, Multiple Authors and Guest Authors in an Author Box with PublishPress Authors (CVE-2026-25309) , Mar 29, 2026
Widget Wrangler (CVE-2026-25447) , Mar 29, 2026
Astra Bulk Edit (CVE-2026-32431) , Mar 29, 2026
JS Help Desk – Best Help Desk & Support Plugin (CVE-2026-32535) , Mar 29, 2026