PT-2026-60421 · WordPress · Rtmkit
CVE-2026-12906
·
Published
2026-07-16
·
Updated
2026-07-16
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions
RTMKit WordPress plugin versions prior to 2.0.9
Description
The plugin fails to perform a capability check in an AJAX action and directly resolves a request-supplied post identifier. This allows users with the Contributor role or higher to read the titles of private, draft, pending, scheduled, and trashed posts belonging to other users.
Recommendations
Update RTMKit WordPress plugin to version 2.0.9 or later.
Exploit
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Rtmkit