Remote Code Execution Vulnerability Discovered in RomethemeKit for Elementor Plugin

A severe security flaw has been discovered in the RomethemeKit for Elementor plugin for WordPress, which has been promptly addressed. This vulnerability, which could allow for Remote Code Execution (RCE), was effectively patched in version 1.5.5 following the identification of an improper permission check in preceding versions.

RomethemeKit for Elementor is a widely utilized toolkit that enhances Elementor website builders by offering ready-to-use templates, widgets, and icon packs. It boasts over 30,000 active installations, making it a significant asset for users who may lack design or coding expertise.

The critical vulnerability was uncovered by researchers from Patchstack, who identified that the install_requirements function lacked the required permission and nonce checks. Consequently, this flaw could be exploited by any authenticated user, including those with minimal privileges, like Subscribers, allowing them to install and activate arbitrary plugins.

Once a malicious plugin is activated, an attacker can execute arbitrary code on the affected system.

This vulnerability has been cataloged as CVE-2025-30911.

Patch Released After Initial Fix Proved Inadequate

Rometheme, the vendor, was informed of the security issue on January 14, 2025. An initial patch was applied with the release of version 1.5.4 on January 30; however, this fix was insufficient. A comprehensive fix was implemented in version 1.5.5 on March 14, which adequately incorporated both permission and nonce checks to secure the vulnerable function.

To mitigate the risk of similar vulnerabilities in the future, it is essential for plugin developers to adopt robust security measures throughout the design and development phase. Key recommendations include:

– Implement stringent permission checks for any administrative actions, particularly those associated with file uploads, plugin installations, or changes to settings.
– Utilize nonce verification for all actions executed through AJAX to guard against Cross-Site Request Forgery (CSRF) attacks.
– Avoid granting low-privilege user roles, such as Subscribers or Contributors, access to sensitive functions like plugin installation or activation.

Establishing a strong validation framework and adhering to recommended coding practices significantly diminishes the risk of RCE and related threats. Regular code audits, security testing, and timely updates are also crucial for maintaining the integrity of plugins.