RCE vulnerability in WordPress plugin threatens tens of thousands of websites

A serious security flaw has been discovered in RomethemeKit For Elementor, a popular WordPress plugin currently deployed on more than 30,000 websites worldwide. This vulnerability can allow a verified user to perform Remote Code Execution (RCE), thus taking full control of the website and hosting server. The main cause comes from improperly licensing the plugin and the lack of necessary security check mechanisms.

The breach was designated CVE – 2025-30911 and was assessed as very severe with a CVSS score of 9.9/10. According to technical analysis, the weak point lies in the plugin’s install requirements() function, which can be invoked via the hook wp ajax install requirements. However, the function does not perform user access checks nor nonce authentication – an important mechanism in WordPress to prevent forged requests.

Due to the lack of these protections, any user who has logged on to the website, including the lowest – functioning account such as Subscriber, may exploit the vulnerability. Attackers can at their discretion activate and install plugins on websites, including harmful plugins that they control. Once the malicious plugin is installed and successfully activated, the attacker can execute arbitrary code on the server, thus gaining control of the website, stealing data, inserting malicious code, or using the system as a springboard for further attacks.

RomethemeKit For Elementor is a plugin designed to help users build websites quickly with Elementor, and offers a variety of pre-designed interface templates, widgets, icons, and blocks. Targeted at non-programming users, the plugin is widely used in small business websites, personal blogs, and online stores. Because of this prevalence, the CVE – 2025 – 30911 vulnerability is considered to have a large impact range and is particularly dangerous if exploited in mass.

Network security experts recommend that WordPress administrators immediately check to see if they are using RomethemeKit For Elementor. If so, upgrade to version 1.5.5 or later, where the vulnerability has been completely patched by the developer. In addition, administrators should also review user accounts, limit granting unnecessary login permissions, and implement additional security measures such as web application firewall (WAF) and monitor for unusual activity. Timely updates and strict access management are key to minimizing risk in the face of serious vulnerabilities in the WordPress ecosystem.