CVE-2025-24743

Vulnerability

Overview CVE-2025-24743 is a missing authorization vulnerability in the RTMKit plugin for Elementor (rometheme-for-elementor). The plugin fails to properly enforce access controls on certain functions, allowing users with lower privileges to execute actions that should require higher-level permissions. This type of flaw is classified as a broken access control issue [1].

Exploitation

Details An attacker who has any level of authenticated access to a WordPress site running the affected plugin (versions up to and including 1.5.2) can exploit this missing authorization check. No special network position or additional authentication is required beyond a valid user account. The vulnerability can be triggered by sending crafted requests to the plugin's endpoints, bypassing the intended privilege checks [1].

Impact

Successful exploitation enables an unprivileged user to perform actions normally reserved for administrators or other higher-privileged roles. This could include modifying settings, accessing sensitive data, or performing other unauthorized operations within the context of the plugin. While the CVSS score is 4.3 (Medium), the advisory notes that such vulnerabilities are sometimes used in mass-exploit campaigns, though the specific risk for this CVE is considered low [1].

Mitigation

The vulnerability has been patched in version 1.5.3 of the RTMKit plugin. Users are strongly advised to update immediately. For those unable to update, enabling auto-updates for vulnerable plugins (if using Patchstack) or consulting a web developer is recommended. No other workarounds are documented [1].