CVE-2026-3425

Name of the Vulnerable Software and Affected Versions RTMKit Addons for Elementor versions prior to 2.0.3

Description The plugin is susceptible to Local File Inclusion (LFI), a condition where an application includes files on a server without proper validation. Authenticated attackers with Author-level access or higher can exploit the 'get content' AJAX action through the path parameter to include and execute arbitrary PHP files. This may lead to the bypass of access controls, unauthorized access to sensitive data, or remote code execution if PHP files can be uploaded to the server.

Recommendations Update to a version later than 2.0.2. As a temporary workaround, restrict access to the 'get content' AJAX action or the path parameter for users with Author-level permissions.