RomethemeKit For Elementor <= 1.5.2 - Authenticated (Contributor+) Sensitive Information Exposure via Elementor Templates

Vulnerability

The RomethemeKit For Elementor plugin for WordPress (also known as RTMKit [1]) contains a sensitive information exposure vulnerability in all versions up to and including 1.5.2. The flaw resides in the register_controls function within widgets/offcanvas-rometheme.php. This allows authenticated users with at least Contributor-level access to extract sensitive private, pending, and draft template data.

Exploitation

An attacker must have a WordPress account with Contributor-level privileges or higher. No additional authentication or special conditions are required beyond being logged in. The attacker can trigger the vulnerable code path by interacting with the offcanvas widget controls, which exposes the restricted template data without proper authorization checks.

Impact

Successful exploitation results in the disclosure of sensitive template data, including private, pending, and draft templates. This information exposure can reveal unpublished content, potentially including confidential business information or pre-release designs. The attacker gains read access to data that should be restricted to higher-privileged users.

Mitigation

The vulnerability is fixed in version 2.0.7 of the plugin [1]. Users are strongly advised to update to the latest version immediately. No workarounds are available for versions 1.5.2 and earlier. The plugin is actively maintained, and the update can be obtained from the WordPress plugin repository.