RTMKit Addons for Elementor Plugin <= 2.0.2 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/rtmkit-addons-for-elementor-plugin--2.0.2/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 13 May 2026 15:51:38 +0000RTMKit Addons for Elementor WordPress Plugin LFI Vulnerability (CVE-2026-3425)https://feed.craftedsignal.io/briefs/2026-05-rtmkit-lfi/Wed, 13 May 2026 15:51:38 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-rtmkit-lfi/The RTMKit Addons for Elementor plugin for WordPress is vulnerable to local file inclusion (LFI) via the 'path' parameter in the 'get_content' AJAX action, allowing authenticated attackers with Author-level access or higher to include and execute arbitrary PHP files, leading to potential code execution.The RTMKit Addons for Elementor plugin, a popular WordPress extension, contains a local file inclusion vulnerability (CVE-2026-3425) affecting versions up to and including 2.0.2. This flaw resides within the ‘get_content’ AJAX action, specifically through the ‘path’ parameter. Authenticated users with Author-level privileges or higher can exploit this vulnerability to include and execute arbitrary PHP files residing on the server. This can enable attackers to bypass access controls, obtain sensitive data, or ultimately achieve remote code execution by including uploaded PHP files. This vulnerability poses a significant risk to WordPress websites utilizing the affected plugin.

Attack Chain

  1. An attacker authenticates to the WordPress site with Author-level or higher privileges.
  2. The attacker crafts a malicious HTTP request targeting the ‘admin-ajax.php’ endpoint.
  3. The request includes the ‘action’ parameter set to ‘get_content’.
  4. The attacker manipulates the ‘path’ parameter within the request, setting it to point to a sensitive local file or an uploaded PHP file.
  5. The server processes the request and includes the specified file.
  6. If the included file is a PHP file, the server executes the PHP code.
  7. The attacker can leverage this to read sensitive data from the server, such as configuration files.
  8. Alternatively, the attacker could upload a PHP file (e.g., through a separate vulnerability or misconfiguration) and then include it using the LFI vulnerability, achieving arbitrary code execution.

Impact

Successful exploitation of CVE-2026-3425 allows attackers with Author-level access to bypass access controls and execute arbitrary PHP code on the WordPress server. This could lead to the compromise of sensitive data, defacement of the website, or complete takeover of the server. The number of potentially affected websites is significant, given the widespread use of WordPress and the RTMKit Addons for Elementor plugin.

Recommendation

  • Upgrade the RTMKit Addons for Elementor plugin to a version greater than 2.0.2 to patch CVE-2026-3425.
  • Deploy the Sigma rule “Detect CVE-2026-3425 Exploitation — RTMKit LFI Attempt” to your SIEM and tune for your environment.
  • Monitor web server logs for requests to ‘admin-ajax.php’ with the ‘action’ parameter set to ‘get_content’ and suspicious values in the ‘path’ parameter, using the file paths and extensions in the detection rule as a reference.
]]>highadvisorylfiwordpressplugincve-2026-3425