cleantalk
Vulnerabilities and Security Researches

RomethemeKit For Elementor, CVE-2026-5149

CVE, Research URL

CVE-2026-5149

Home page URL

Security reports for RomethemeKit For Elementor

Application

RomethemeKit For Elementor

Published on
Jun 16, 2026
Research Description
The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the get_submission_content AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it possible for authenticated attackers, with Contributor-level access and above, to view arbitrary form submissions from other users by iterating the entries_id parameter.
Affected versions
max 2.0.8.
Status
vulnerable
Previous vulnerability researches
RomethemeKit For Elementor (CVE-2025-24743) , Jan 26, 2025
RomethemeKit For Elementor (CVE-2024-10324) , Jan 26, 2025
RomethemeKit For Elementor (CVE-2025-49235) , Jun 15, 2025
RomethemeKit For Elementor (CVE-2025-8609) , Apr 23, 2026
RomethemeKit For Elementor (CVE-2024-10326) , Mar 10, 2025
New vulnerability
Video Conferencing with Zoom (CVE-2026-6964) , Jun 17, 2026
Media Library Assistant (CVE-2026-54198) , Jun 17, 2026
RomethemeKit For Elementor (CVE-2026-5149) , Jun 17, 2026
WooCommerce Digital Signature (CVE-2026-52694) , Jun 17, 2026
Permalink Manager Lite (CVE-2026-8494) , Jun 17, 2026