CVE-2025-12473

Name of the Vulnerable Software and Affected Versions RTMKit versions through 1.6.8

Description The RTMKit plugin for WordPress is susceptible to Reflected Cross-Site Scripting through the themebuilder parameter. Insufficient input sanitization and output escaping allow unauthenticated attackers to inject arbitrary web scripts into pages. Successful exploitation requires tricking a site administrator into performing an action, such as clicking a malicious link.

Recommendations Update RTMKit to a version later than 1.6.8.