CVE-2025-12473
Reflected XSS in RTMKit WordPress Plugin Allows Script Injection
Publication date: 2026-03-11
Last updated on: 2026-03-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rometheme | rometheme_for_elementor | to 1.6.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The RTMKit plugin for WordPress has a vulnerability known as Reflected Cross-Site Scripting (XSS) in the 'themebuilder' parameter. This vulnerability exists in all versions up to and including 1.6.8 because the plugin does not properly sanitize input or escape output. As a result, an attacker who is not authenticated can inject malicious web scripts into pages. These scripts execute if a site administrator is tricked into performing an action, such as clicking on a specially crafted link.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary scripts in the context of the affected website when a site administrator interacts with a malicious link. This can lead to unauthorized actions such as stealing sensitive information, hijacking administrator sessions, or performing actions on behalf of the administrator without their consent.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Reflected Cross-Site Scripting (XSS) via the 'themebuilder' parameter in the RTMKit plugin for WordPress. Detection typically involves monitoring web requests for suspicious or malicious payloads in the 'themebuilder' parameter.
You can detect attempts by inspecting web server logs or using tools like curl or wget to test the parameter for script injection.
- Use curl to send a test request with a script payload in the 'themebuilder' parameter and observe the response for reflected scripts: curl -i "http://yourwordpresssite.com/wp-admin/admin.php?page=themebuilder&themebuilder=<script>alert(1)</script>"
- Search web server logs for suspicious 'themebuilder' parameter values containing script tags or JavaScript code.
- Use a web vulnerability scanner that supports detection of reflected XSS vulnerabilities targeting the 'themebuilder' parameter.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to update the RTMKit plugin for WordPress to a version later than 1.6.8 where the vulnerability is fixed.
Until an update can be applied, you should consider disabling or restricting access to the vulnerable 'themebuilder' functionality, especially for unauthenticated users.
Additionally, implement web application firewall (WAF) rules to block requests containing suspicious script payloads in the 'themebuilder' parameter.
Educate site administrators to avoid clicking on suspicious links that could exploit this reflected XSS vulnerability.