Rometheme RTMKit Addons
Moderate fix1 remedy
cpe:2.3:a:rometheme:romethemekit_for_elementor:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 2.0.2
RTMKit Addons for Elementor Missing Authorization Vulnerability on Widget Configuration Modification
Vulnerability
Patched
A vulnerability exists in the RTMKit Addons for Elementor plugin for WordPress, specifically in versions through 2.0.2. The issue arises from inadequate capability checks in the save_widget() and reset_all_widgets() functions. This flaw allows authenticated attackers with Author-level access or higher to unauthorizedly alter or reset global widget settings on the site.
Impact
Exploitation of this vulnerability could lead to unauthorized changes in the site's widget configurations, potentially disrupting the site's layout or functionality.
Reproduction
To reproduce this vulnerability, an authenticated user with Author-level access can use the WordPress admin interface to send a request to the 'wp_ajax_save_widget' or 'wp_ajax_reset_all_widgets' actions. These requests will be processed by the vulnerable functions, allowing the user to modify or reset widget settings without the necessary permissions.
Remediation
Users are advised to update the RTMKit Addons for Elementor plugin to version 2.0.3 or later, where this vulnerability has been patched.
Added: May 13, 2026, 4:15 PM
Updated: May 13, 2026, 4:15 PM
Vulnerability Rating
Custom Algorithm
spread
1.0impact
2.5exploitability
6.4remediation
7.7relevance
8.2threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.