RomethemeKit For Elementor <= 1.5.3 - Missing Authorization in save_options and reset_widgets

Vulnerability

The RomethemeKit For Elementor plugin for WordPress (versions up to and including 1.5.3) contains missing capability checks in the save_options and reset_widgets functions. This allows authenticated attackers with Subscriber-level access or above to modify plugin settings or reset plugin widgets to their default state (all enabled). The vendor's development branch now shows version 2.0.7 (last updated 2026-04-20) which likely includes full fixes, but version 1.5.3 only provided a partial fix [1].

Exploitation

An attacker needs only a valid WordPress account with Subscriber-level access or higher. No additional privileges or special network position is required. The attacker can directly call the affected save_options or reset_widgets functions via crafted requests to change plugin configuration or reset widgets without authorization checks [1].

Impact

Successful exploitation results in unauthorized modification of plugin settings, which could disrupt site functionality (e.g., disabling or enabling widgets arbitrarily) by resetting widgets to the default “all enabled” state. This could lead to unexpected plugin behavior but does not directly achieve remote code execution or privilege escalation on its own [1].

Mitigation

Version 1.5.3 introduced a partial fix; the full fix is expected in the newer versions of the plugin. Users should update to the latest available version (2.0.7 as of the reference) to be fully protected. If an immediate update is not possible, restricting Subscriber-level access or applying additional access controls may reduce risk [1].