CVE-2025-30911

Name of the Vulnerable Software and Affected Versions RomethemeKit For Elementor versions n/a through 1.5.4

Description The issue is related to an Improper Control of Generation of Code ('Code Injection') vulnerability, which allows Command Injection. This problem affects over 30,000 active sites. The install requirements() function is tied to wp ajax install requirements and skips permission checks and nonce validation, allowing any authenticated user to potentially exploit this issue.

Recommendations Update the plugin to at least version 1.5.5 to resolve the issue. As a temporary workaround, consider restricting access to the install requirements() function and wp ajax install requirements endpoint to minimize the risk of exploitation. Avoid using the vulnerable RomethemeKit For Elementor plugin until the issue is resolved.