{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-3425/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-3425"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["RTMKit Addons for Elementor plugin \u003c= 2.0.2"],"_cs_severities":["high"],"_cs_tags":["lfi","wordpress","plugin","cve-2026-3425"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe RTMKit Addons for Elementor plugin, a popular WordPress extension, contains a local file inclusion vulnerability (CVE-2026-3425) affecting versions up to and including 2.0.2. This flaw resides within the \u0026lsquo;get_content\u0026rsquo; AJAX action, specifically through the \u0026lsquo;path\u0026rsquo; parameter. Authenticated users with Author-level privileges or higher can exploit this vulnerability to include and execute arbitrary PHP files residing on the server. This can enable attackers to bypass access controls, obtain sensitive data, or ultimately achieve remote code execution by including uploaded PHP files. This vulnerability poses a significant risk to WordPress websites utilizing the affected plugin.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the WordPress site with Author-level or higher privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u0026lsquo;admin-ajax.php\u0026rsquo; endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes the \u0026lsquo;action\u0026rsquo; parameter set to \u0026lsquo;get_content\u0026rsquo;.\u003c/li\u003e\n\u003cli\u003eThe attacker manipulates the \u0026lsquo;path\u0026rsquo; parameter within the request, setting it to point to a sensitive local file or an uploaded PHP file.\u003c/li\u003e\n\u003cli\u003eThe server processes the request and includes the specified file.\u003c/li\u003e\n\u003cli\u003eIf the included file is a PHP file, the server executes the PHP code.\u003c/li\u003e\n\u003cli\u003eThe attacker can leverage this to read sensitive data from the server, such as configuration files.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker could upload a PHP file (e.g., through a separate vulnerability or misconfiguration) and then include it using the LFI vulnerability, achieving arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3425 allows attackers with Author-level access to bypass access controls and execute arbitrary PHP code on the WordPress server. This could lead to the compromise of sensitive data, defacement of the website, or complete takeover of the server. The number of potentially affected websites is significant, given the widespread use of WordPress and the RTMKit Addons for Elementor plugin.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the RTMKit Addons for Elementor plugin to a version greater than 2.0.2 to patch CVE-2026-3425.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-3425 Exploitation — RTMKit LFI Attempt\u0026rdquo; to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to \u0026lsquo;admin-ajax.php\u0026rsquo; with the \u0026lsquo;action\u0026rsquo; parameter set to \u0026lsquo;get_content\u0026rsquo; and suspicious values in the \u0026lsquo;path\u0026rsquo; parameter, using the file paths and extensions in the detection rule as a reference.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-13T15:51:38Z","date_published":"2026-05-13T15:51:38Z","id":"https://feed.craftedsignal.io/briefs/2026-05-rtmkit-lfi/","summary":"The RTMKit Addons for Elementor plugin for WordPress is vulnerable to local file inclusion (LFI) via the 'path' parameter in the 'get_content' AJAX action, allowing authenticated attackers with Author-level access or higher to include and execute arbitrary PHP files, leading to potential code execution.","title":"RTMKit Addons for Elementor WordPress Plugin LFI Vulnerability (CVE-2026-3425)","url":"https://feed.craftedsignal.io/briefs/2026-05-rtmkit-lfi/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-3425","version":"https://jsonfeed.org/version/1.1"}