CVE-2024-32956

Vulnerability

The Rometheme RTMKit plugin for WordPress (rometheme-for-elementor) versions up to and including 1.4.1 are vulnerable to stored cross-site scripting (XSS) due to improper neutralization of input during web page generation [1]. The vulnerability exists in the plugin's widget rendering, where user-supplied input is not properly sanitized before being stored and later executed in the context of an administrator's browser session.

Exploitation

An unauthenticated attacker can exploit this vulnerability by submitting crafted input through a vulnerable form or widget that accepts user data. The injected script is stored on the server and subsequently executed when an administrator views the affected page or post in the WordPress admin panel [1]. No special permissions or authentication are required to submit the malicious payload.

Impact

Successful exploitation allows an attacker to inject arbitrary JavaScript or HTML into the admin interface, leading to potential session hijacking, defacement, or theft of sensitive information disclosed to authenticated users. The attack is executed in the context of the administrator's browser, which can result in privilege escalation or complete site compromise [1].

Mitigation

The vulnerability is fixed in version 2.0.7, released on 2026-04-20 [1]. Users should update the RTMKit plugin to version 2.0.7 or later immediately. No workaround is available for earlier versions, and sites running vulnerable versions should consider disabling the plugin until the update is applied.