CVE-2024-10326
RomethemeKit For Elementor <= 1.5.3 - Missing Authorization in save_options and reset_widgets
CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th
The RomethemeKit For Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_options and reset_widgets functions in all versions up to, and including, 1.5.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify plugin settings or reset plugin widgets to their default state (all enabled). NOTE: This vulnerability was partially fixed in version 1.5.3.
| CWE | CWE-862 |
| Vendor | rometheme |
| Product | rtmkit |
| Published | Mar 8, 2025 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for rometheme rtmkit
Be the first to know when new medium vulnerabilities affecting rometheme rtmkit are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
rometheme / RTMKit
0 โค 1.5.3
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/230b3f2f-44cf-46eb-8e6a-3c52f2ea2fb9?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3231792/rometheme-for-elementor plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3220079/rometheme-for-elementor
Credits
Tieu Pham Trong Nhan tptNhan