What the vulnerability does
01Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Rometheme RTMKit rometheme-for-elementor allows Command Injection.This issue affects RTMKit: from n/a through <= 1.5.4.
CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
What the vulnerability does
Improper Control of Generation of Code ('Code Injection') vulnerability in Rometheme RTMKit rometheme-for-elementor allows Command Injection.This issue affects RTMKit: from n/a through <= 1.5.4.
Explanation of Vulnerability in Simple Terms
RTMKit versions up to 1.5.4 contain a code injection vulnerability that allows authenticated users with low privileges to run arbitrary code on the site. The vulnerability affects the entire system due to scope change, enabling attackers to read sensitive data, modify site content, or disrupt service. Update to a version newer than 1.5.4 immediately.
What an attacker can do
Run arbitrary code on the site, read sensitive data, modify content, or disable the site.
Potential impact on your site
Any authenticated user can compromise the entire site, including database access and file modification.
Conditions required to exploit
Attacker must have a low-privilege authenticated account on the site.
Key dates
External resources