CVE-2026-3425 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: May 13, 2026
RTMKit Addons for Elementor - Local File Inclusion
Overview
RTMKit Addons for Elementor WordPress plugin <= 2.0.2 contains a local file inclusion caused by improper sanitization of the 'path' parameter in 'get_content' AJAX action, letting authenticated attackers with Author-level access include and execute arbitrary PHP files.
Severity & Score
Impact
Authenticated attackers with Author-level access can execute arbitrary PHP code, bypass access controls, and obtain sensitive data.
Mitigation
Update to the latest version beyond 2.0.2.
References
Social Media Activity(2 posts)
š CVE-2026-3425 - High (8.8) The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.2 via the 'path' parameter of the 'get_content' AJAX action. This makes it possible for authenticated attackers, w... š https://www.thehackerwire.com/vulnerability/CVE-2026-3425/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-3425 - High (8.8) The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.0.2 via the 'path' parameter of the 'get_content' AJAX action. This makes it possible for authenticated attackers, w... š https://www.thehackerwire.com/vulnerability/CVE-2026-3425/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-3425
- Severity
- High
- CVSS Score
- 8.8
- Type
- file_inclusion
- Status
- rejected
- EPSS
- 8.1%
- Social Posts
- 2
CWE
- CWE-98
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H