CVE-2026-12906
RTMKit Addons for Elementor < 2.0.9 - Contributor+ Private Post Title Disclosure
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
The RTMKit WordPress plugin before 2.0.9 does not perform a capability check in one of its AJAX actions and resolves a request-supplied post identifier directly, allowing users with at least the Contributor role to read the titles of other users' private, draft, pending, scheduled and trashed posts.
| Vendor | unknown |
| Product | rtmkit |
| Published | Jul 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for unknown rtmkit
Be the first to know when new unknown vulnerabilities affecting unknown rtmkit are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
Unknown / RTMKit
0 < 2.0.9
References
Credits
Meher Sudhakar Abbireddi WPScan