- Buy a Sony Bravia 8 II, and get another 4K TV for free - but you'll need to act fast
- I choose this budget wireless iPhone charger over Apple's MagSafe model - here's why
- AI導入を急ぐあまり見過ごされる8つのセキュリティリスク
- Grab this 230-piece Craftsman toolset for just $99 at Lowe's
- The best Apple deals of May 2025: iPhones, Apple Watches, iPads, and more
RCE Vulnerability Found in RomethemeKit For Elementor Plugin
A severe security flaw in the popular RomethemeKit For Elementor WordPress plugin has been identified and patched.
The issue, which could allow Remote Code Execution (RCE), has been fixed in version 1.5.5 following reports of an improper permission check in earlier versions.
RomethemeKit For Elementor is a widely used toolkit that enhances Elementor website builders by providing ready-to-use templates, widgets and icon packs. With over 30,000 active installations, the plugin streamlines website creation for users who lack design or coding expertise.
However, Patchstack researchers discovered a critical vulnerability stemming from the install_requirements function, which lacked both proper permission and nonce checks. As a result, any authenticated user – including those with minimal privileges such as Subscribers – could exploit this flaw to install and activate arbitrary plugins.
Once the malicious plugin is activated, an attacker could execute arbitrary code remotely.
This vulnerability was catalogued under CVE-2025-30911.
Patch Released After Incomplete Fix
The vendor, Rometheme, was notified of the issue on January 14 2025. An initial patch was attempted with version 1.5.4, released on January 30, but proved insufficient.
A complete fix was rolled out in version 1.5.5 on March 14, which included both a permission and nonce check to safeguard the vulnerable function.
Read more on WordPress plugin security: New WordPress Malware Masquerades as Plugin
To help prevent similar vulnerabilities in the future, plugin developers should adopt a robust security approach during the design and development process.
Specifically, they are encouraged to:
- Implement strict permission checks for any administrative-level actions, especially those involving file uploads, plugin installations or settings changes
- Use nonce verification for all actions initiated through AJAX to protect against Cross-Site Request Forgery (CSRF) attacks
- Avoid granting low-privilege user roles – such as Subscribers or Contributors – access to sensitive functions like plugin installation or activation
Establishing a strong validation framework and adhering to WordPress’s recommended coding practices can significantly reduce the risk of RCE and similar threats.
Regular code audits, security testing and timely updates are also vital to maintaining plugin integrity.
