CVE-2026-3425 Overview
CVE-2026-3425 is a Local File Inclusion (LFI) vulnerability in the RTMKit Addons for Elementor plugin for WordPress. The flaw affects all plugin versions up to and including 2.0.2. Attackers exploit the path parameter of the get_content AJAX action to include arbitrary PHP files on the server. Authenticated users with Author-level access or higher can execute arbitrary PHP code by abusing this parameter. The vulnerability is tracked under [CWE-98] (Improper Control of Filename for Include/Require Statement in PHP Program).
Critical Impact
Authenticated attackers with Author privileges can execute arbitrary PHP code, bypass access controls, exfiltrate sensitive data, and achieve full site compromise when combined with file upload primitives.
Affected Products
- RTMKit Addons for Elementor (rometheme-for-elementor) WordPress plugin
- All versions up to and including 2.0.2
- WordPress sites where users with Author-level access or above are provisioned
Discovery Timeline
- 2026-05-13 - CVE-2026-3425 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-3425
Vulnerability Analysis
The vulnerability resides in the plugin's get_content AJAX action handler, defined in Inc/Core/PluginApi.php. The handler accepts a path parameter from the request and passes it to a PHP include or require statement without proper sanitization or allow-list validation. Authenticated attackers supply arbitrary file paths through this parameter. The PHP interpreter then loads and executes the contents of the referenced file as PHP code. Attackers leverage this primitive to read local files, include uploaded payloads, or chain with media upload functionality available to Author-level users for full remote code execution.
Root Cause
The root cause is improper validation of user-supplied input used to construct a file path passed to a PHP include or require function. The plugin trusts the path parameter from the AJAX request and does not constrain it to a whitelisted directory or set of filenames. This pattern matches [CWE-98], where untrusted input controls the filename argument of a PHP include statement.
Attack Vector
An authenticated user with Author capabilities or higher sends a crafted POST request to the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) targeting the get_content action. The attacker supplies a path value pointing to a PHP file accessible on the server filesystem. Common attack chains include uploading a PHP payload disguised as a media file through the WordPress media library, then referencing that file via the path parameter. The server executes the included file in the WordPress process context, granting the attacker code execution.
No verified public exploit code is currently available. Technical context is documented in the WordPress Plugin API Code and the Wordfence Vulnerability Advisory.
Detection Methods for CVE-2026-3425
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php containing action=get_content paired with a path parameter referencing absolute filesystem paths or directory traversal sequences such as ../.
- Unexpected PHP files in the WordPress uploads directory, particularly files with double extensions or non-image MIME types uploaded by Author accounts.
- Web server logs showing requests from Author-level sessions immediately followed by outbound network connections from the PHP worker process.
Detection Strategies
- Inspect HTTP access logs for admin-ajax.php requests where the action parameter equals get_content and the path parameter contains filesystem characters such as /, \, or ..
- Deploy web application firewall (WAF) rules that block AJAX requests to the get_content action when the path parameter does not match an expected allow-list pattern.
- Audit WordPress user roles and recent media uploads, correlating Author-level uploads with subsequent AJAX requests to the vulnerable endpoint.
Monitoring Recommendations
- Enable WordPress audit logging for AJAX endpoint usage and user role activity, forwarding events to a centralized SIEM for correlation.
- Monitor PHP-FPM and web server processes for anomalous child process spawns, outbound connections, or file writes following Author-level authentication events.
- Alert on file creation events inside wp-content/uploads/ where the file extension is .php, .phtml, .phar, or other server-executable types.
How to Mitigate CVE-2026-3425
Immediate Actions Required
- Update the RTMKit Addons for Elementor plugin to the patched version released in WordPress Changeset 3474369, which is the fixed release after 2.0.2.
- Audit all WordPress user accounts with Author, Editor, or Administrator roles and revoke unnecessary privileges.
- Review media library contents for unexpected PHP files and remove any suspicious uploads.
- Rotate WordPress secret keys, database credentials, and user passwords if compromise is suspected.
Patch Information
The vendor addressed the vulnerability in the changeset published at WordPress Changeset 3474369. Site administrators should install the patched plugin version through the WordPress admin dashboard or by manually replacing the plugin files. Confirm the fixed version is active by checking the plugin metadata after upgrade.
Workarounds
- Deactivate and remove the RTMKit Addons for Elementor plugin until a patched version is installed.
- Configure the web server to deny execution of PHP files within wp-content/uploads/ using directives in .htaccess (Apache) or location blocks (Nginx).
- Restrict Author-level account creation and require multi-factor authentication for all privileged WordPress users.
- Apply a WAF virtual patch that blocks requests to admin-ajax.php where action=get_content and path contains traversal sequences or absolute paths.
# Nginx configuration to block PHP execution in uploads directory
location ~* /wp-content/uploads/.*\.php$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
