PT-2026-60421 · WordPress · Rtmkit

CVE-2026-12906

·

Published

2026-07-16

·

Updated

2026-07-16

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions RTMKit WordPress plugin versions prior to 2.0.9
Description The plugin fails to perform a capability check in an AJAX action and directly resolves a request-supplied post identifier. This allows users with the Contributor role or higher to read the titles of private, draft, pending, scheduled, and trashed posts belonging to other users.
Recommendations Update RTMKit WordPress plugin to version 2.0.9 or later.

Exploit

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

CVE-2026-12906

Affected Products

Rtmkit