RTMKit Addons for Elementor Local File Inclusion Vulnerability

A local file inclusion vulnerability has been identified in the RTMKit Addons for Elementor plugin for WordPress, affecting all versions through 2.0.2. The vulnerability arises in the 'get_content' AJAX action, where the 'path' parameter is not properly sanitized. This flaw allows authenticated attackers with Author-level access and above to include and execute arbitrary PHP files on the server. Exploitation of this vulnerability could lead to unauthorized code execution, access to sensitive data, or bypassing access controls, particularly in scenarios where PHP files can be uploaded and included.

Impact

Exploitation of this vulnerability could result in unauthorized execution of PHP code on the server, potentially leading to a full compromise of the affected WordPress site.

Reproduction

To reproduce this vulnerability, an authenticated user with Author-level access or higher can send a request to the 'get_content' AJAX action with a crafted 'path' parameter. This parameter should be set to a value that points to a PHP file on the server that the attacker wishes to include and execute. The request must include the 'rtmkit_nonce' for authentication.

Remediation

Users are advised to update the RTMKit Addons for Elementor plugin to version 2.0.3 or later.