Full Report
RomethemeKit for Elementor has released a patch addressing an RCE vulnerability exposing 30,000 sites
Analysis Summary
# Vulnerability: RCE in RomethemeKit For Elementor via Improper Permission Checks
## CVE Details
- CVE ID: CVE-2025-30911
- CVSS Score: Information not explicitly provided, but severity is stated as "severe" and allows Remote Code Execution (RCE).
- CWE: Improper Access Control (Implied by "improper permission check")
## Affected Systems
- Products: RomethemeKit For Elementor WordPress Plugin
- Versions: Versions prior to 1.5.5 (Initial patch attempt was 1.5.4, which was insufficient).
- Configurations: Any authenticated user with minimal privileges (e.g., Subscriber role) on a WordPress site utilizing the vulnerable plugin version.
## Vulnerability Description
The vulnerability exists in the `install_requirements` function within the RomethemeKit For Elementor plugin. This function failed to implement adequate permission checks and nonce verification. Consequently, any low-privileged authenticated user (such as a WordPress Subscriber) could trigger this function to install and subsequently activate arbitrary plugins on the WordPress installation. The activation of a malicious, attacker-supplied plugin leads directly to Remote Code Execution (RCE).
## Exploitation
- Status: Implied to be exploitable (fixed after discovery).
- Complexity: Low (Requires only authenticated access for a low-privileged user).
- Attack Vector: Adjacent (Requires authentication status on the target WordPress installation).
## Impact
- Confidentiality: High (RCE allows access to sensitive data).
- Integrity: High (RCE allows modification or destruction of system files/data).
- Availability: High (RCE can lead to site defacement or shutdown).
## Remediation
### Patches
- **Version 1.5.5** (Released March 14, 2025): This version includes the complete fix by implementing both necessary permission and nonce checks for the vulnerable function.
### Workarounds
- No specific workarounds were detailed, but the fundamental requirement is to ensure users are not authenticated below the necessary privilege level until patched, or restrict network access to the WordPress backend if possible.
## Detection
- **Indicators of Compromise:** Unexpected plugins appearing in the installed list or sudden execution of arbitrary code/shell activity on the underlying web server environment.
- **Detection methods and tools:** Monitoring plugin installation/activation logs for unauthorized actions originating from low-privileged user roles (e.g., Subscriber). Web Application Firewalls (WAFs) detecting unusual POST requests targeting plugin management endpoints without proper nonce validation, if the WAF is configured to inspect application layer details.
## References
- Vendor advisories (Patchstack researchers reported to Rometheme on January 14, 2025)
- Relevant links - defanged:
- `hXXps://www.infosecurity-magazine.com/news/rce-vulnerability-in-romethemekit/`
- Information regarding the patch status can likely be found on the official WordPress Plugin Directory once the vulnerability details are fully public.