CVE-2026-3425: LFI in RTMKit Addons for Elementor
Plattform
wordpress
Komponente
rometheme-for-elementor
Behoben in
2.0.3
CVE-2026-3425 describes a Local File Inclusion (LFI) vulnerability affecting the RTMKit Addons for Elementor plugin for WordPress. This flaw allows authenticated attackers with Author-level access or higher to include and execute arbitrary PHP files on the server. The vulnerability impacts versions up to and including 2.0.2, and a patch is available in version 2.0.3.
Erkenne diese CVE in deinem Projekt
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Auswirkungen und Angriffsszenarien
The impact of this LFI vulnerability is significant. An attacker, once authenticated, can leverage the 'get_content' AJAX action's 'path' parameter to include and execute arbitrary PHP files. This effectively grants them the ability to execute arbitrary code on the server, potentially bypassing access controls. Successful exploitation could lead to the theft of sensitive data, modification of website content, or even complete system compromise. The ability to upload and include PHP files amplifies the risk, allowing attackers to inject malicious code directly into the environment. This vulnerability shares similarities with other LFI exploits where attackers gain code execution by manipulating file paths.
Ausnutzungskontext
CVE-2026-3425 was published on 2026-05-12. Its severity is rated HIGH with a CVSS score of 8.8. Currently, there are no publicly available Proof-of-Concept (POC) exploits. The vulnerability is not listed on KEV or EPSS, suggesting a low to medium probability of active exploitation at this time. Monitor security advisories and threat intelligence feeds for any indications of exploitation campaigns.
Bedrohungsanalyse
Exploit-Status
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Niedrig — jedes gültige Benutzerkonto ist ausreichend.
- User Interaction
- Keine — automatischer und lautloser Angriff. Das Opfer tut nichts.
- Scope
- Unverändert — Auswirkung auf das anfällige Komponente beschränkt.
- Confidentiality
- Hoch — vollständiger Vertraulichkeitsverlust. Angreifer kann alle Daten lesen.
- Integrity
- Hoch — Angreifer kann beliebige Daten schreiben, ändern oder löschen.
- Availability
- Hoch — vollständiger Absturz oder Ressourcenerschöpfung. Totaler Denial of Service.
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
- Geändert
Mitigation und Workarounds
The primary mitigation for CVE-2026-3425 is to immediately upgrade the RTMKit Addons for Elementor plugin to version 2.0.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the 'get_content' AJAX action. Implement a Web Application Firewall (WAF) rule to filter requests containing suspicious characters or patterns in the 'path' parameter. Regularly review file permissions to ensure that only authorized users have write access to PHP files. After upgrading, confirm the fix by attempting to access the vulnerable endpoint with a malicious path; the request should be denied.
So beheben
Aktualisieren Sie auf Version 2.0.3 oder eine neuere gepatchte Version
Häufig gestellte Fragen
What is CVE-2026-3425 — LFI in RTMKit Addons for Elementor?
CVE-2026-3425 is a Local File Inclusion vulnerability in the RTMKit Addons for Elementor WordPress plugin, allowing authenticated attackers to execute arbitrary PHP code. It affects versions up to 2.0.2 and poses a significant security risk.
Am I affected by CVE-2026-3425 in RTMKit Addons for Elementor?
You are affected if you are using RTMKit Addons for Elementor version 2.0.2 or earlier. Verify your plugin version and upgrade immediately if vulnerable.
How do I fix CVE-2026-3425 in RTMKit Addons for Elementor?
Upgrade the RTMKit Addons for Elementor plugin to version 2.0.3 or later. If immediate upgrade is not possible, implement temporary restrictions on the 'get_content' AJAX action and consider WAF rules.
Is CVE-2026-3425 being actively exploited?
Currently, there are no publicly known active exploitation campaigns for CVE-2026-3425, but it's crucial to apply the patch promptly to prevent potential future attacks.
Where can I find the official RTMKit advisory for CVE-2026-3425?
Refer to the official RTMKit website and WordPress plugin repository for the latest advisory and update information regarding CVE-2026-3425.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Erkenne diese CVE in deinem Projekt
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Scannen Sie jetzt Ihr WordPress-Projekt – kein Konto
Laden Sie ein Manifest hoch (composer.lock, package-lock.json, WordPress Plugin-Liste…) oder fügen Sie Ihre Komponentenliste ein. Sie erhalten sofort einen Schwachstellenbericht. Das Hochladen einer Datei ist nur der Anfang: Mit einem Konto erhalten Sie kontinuierliche Überwachung, Slack/email-Benachrichtigungen, Multi-Projekt- und White-Label-Berichte.
Abhängigkeitsdatei hier ablegen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...