CVE-2025-62065

WordPress RTMKit plugin <= 1.6.5 - Arbitrary File Upload vulnerability

CVSS 9.9 CRITICALEPSS 0.3%CWE-434

In short

The RTMKit WordPress plugin allows attackers to upload malicious files without proper restrictions, potentially letting them take control of the website. This vulnerability affects versions up to 1.6.5.

Technical detail

CWE-434 unrestricted file upload vulnerability in RTMKit <= 1.6.5 allows unauthenticated or low-privileged attackers to upload arbitrary files with dangerous types, potentially leading to remote code execution or website compromise. The plugin fails to implement proper file type validation and restrictions on upload functionality.

Summary generated and translated by AI from the official description.

Unrestricted Upload of File with Dangerous Type vulnerability in Rometheme RTMKit rometheme-for-elementor.This issue affects RTMKit: from n/a through <= 1.6.5.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected products

Rometheme · RTMKit

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://patchstack.com/database/Wordpress/Plugin/rometheme-for-elementor/vulnerability/wordpress-rtmkit-plugin-1-6-5-arbitrary-file-upload-vulnerability?_s_id=cve