免费扫描
CRITICALCVE-2025-30911CVSS 9.9

WordPress RomethemeKit For Elementor plugin <= 1.5.4 - Arbitrary Plugin Installation/Activation to RCE vulnerability

翻译中…

平台

wordpress

组件

rometheme-for-elementor

修复版本

1.5.5

AI Confidence: highNVDEPSS 1.7%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

CVE-2025-30911 describes a Remote Code Execution (RCE) vulnerability within the RomethemeKit For Elementor WordPress plugin. This flaw allows attackers to inject arbitrary commands, potentially leading to complete system compromise. The vulnerability impacts versions from 0.0 up to and including 1.5.4. A fix is available in version 1.5.5.

WordPress

检测此 CVE 是否影响你的项目

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描

影响与攻击场景翻译中…

The vulnerability stems from improper control of code generation, specifically allowing command injection. An attacker could exploit this by crafting malicious input that is then executed on the server. Successful exploitation could allow an attacker to execute arbitrary system commands, potentially leading to data theft, modification, or deletion. The attacker could also establish a persistent backdoor, enabling them to regain access to the system at a later time. Given the plugin's integration with Elementor, a popular WordPress page builder, the potential blast radius is significant, affecting numerous websites.

利用背景翻译中…

CVE-2025-30911 was publicly disclosed on April 1, 2025. The vulnerability is considered high probability due to the ease of command injection and the plugin's popularity. No public proof-of-concept (POC) code has been observed as of the disclosure date, but the nature of the vulnerability suggests that a POC is likely to emerge soon. It is not currently listed on the CISA KEV catalog.

哪些人处于风险中翻译中…

Websites utilizing the RomethemeKit For Elementor plugin, particularly those running older versions (0.0 - 1.5.4), are at significant risk. Shared hosting environments where plugin updates are not managed by the website owner are also particularly vulnerable. Websites heavily reliant on Elementor for page building are also at higher risk due to the plugin's core functionality.

检测步骤翻译中…

• wordpress / composer / npm:

grep -r 'system(' /var/www/html/wp-content/plugins/rometheme-for-elementor/

• wordpress / composer / npm:

wp plugin list --status=inactive | grep rometheme

• wordpress / composer / npm:

wp plugin update rometheme-for-elementor

• generic web: Check WordPress plugin directory for updated version 1.5.5.

攻击时间线

  1. Disclosure

    disclosure

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

EPSS

1.74% (82% 百分位)

CISA SSVC

利用情况none
可自动化no
技术影响total

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H9.9CRITICALAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredLow攻击所需的认证级别User InteractionNone是否需要受害者采取行动ScopeChanged超出受影响组件的影响范围ConfidentialityHigh敏感数据泄露风险IntegrityHigh数据未授权篡改风险AvailabilityHigh服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
低 — 任何有效用户账户均可。
User Interaction
无 — 攻击自动且无声,受害者无需任何操作。
Scope
已改变 — 攻击可以超出脆弱组件,影响其他系统。
Confidentiality
高 — 完全丧失机密性,攻击者可读取所有数据。
Integrity
高 — 攻击者可写入、修改或删除任何数据。
Availability
高 — 完全崩溃或资源耗尽,完全拒绝服务。

受影响的软件

组件rometheme-for-elementor
供应商Rometheme
影响范围修复版本
0 – 1.5.41.5.5

软件包信息

活跃安装数
50K小众
插件评分
3.1
需要WordPress版本
6.8+
兼容至
6.9.4
需要PHP版本
8.2+

弱点分类 (CWE)

CWE-94

时间线

  1. 已保留
  2. 发布日期
  3. 修改日期
  4. EPSS 更新日期

缓解措施和替代方案翻译中…

The primary mitigation is to immediately upgrade the RomethemeKit For Elementor plugin to version 1.5.5 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While a direct WAF rule is unlikely to be effective against this type of code injection, carefully reviewing and restricting user input to the plugin is recommended. Monitor WordPress error logs for suspicious command execution attempts. Regularly scan your WordPress installation for vulnerabilities using a reputable security plugin.

修复方法翻译中…

Actualice el plugin Rometheme RTMKit rometheme-for-elementor a la última versión disponible para mitigar la vulnerabilidad de inyección de comandos.  Verifique las fuentes oficiales del plugin o el repositorio de WordPress para obtener la actualización más reciente.  Considere implementar medidas de seguridad adicionales, como limitar los permisos de usuario y revisar el código del plugin en busca de posibles vulnerabilidades.

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2025-30911 — RCE in RomethemeKit For Elementor?

CVE-2025-30911 is a critical Remote Code Execution vulnerability in the RomethemeKit For Elementor WordPress plugin, allowing attackers to execute commands on the server.

Am I affected by CVE-2025-30911 in RomethemeKit For Elementor?

You are affected if you are using RomethemeKit For Elementor versions 0.0 through 1.5.4. Upgrade to 1.5.5 or later to resolve the issue.

How do I fix CVE-2025-30911 in RomethemeKit For Elementor?

Upgrade the RomethemeKit For Elementor plugin to version 1.5.5 or later. If upgrading is not possible, temporarily disable the plugin.

Is CVE-2025-30911 being actively exploited?

While no active exploitation has been confirmed, the vulnerability's nature suggests it is likely to be targeted, and a POC is expected.

Where can I find the official Rometheme advisory for CVE-2025-30911?

Refer to the Rometheme official website or WordPress plugin repository for the latest advisory and update information.

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE