Ddos 
A newly disclosed vulnerability in the popular RomethemeKit For Elementor WordPress plugin—installed on over 30,000 active sites—could allow authenticated users to gain remote code execution (RCE) capabilities due to improper permission and nonce checks. The flaw, tracked as CVE-2025-30911, has been assigned a critical CVSS score of 9.9.
“The RomethemeKit For Elementor plugin suffered from an authenticated Arbitrary Plugin Installation/Activation to RCE vulnerability,” Patchstack reports in their recent security advisory.
RomethemeKit is a toolkit designed for Elementor website builders, offering a rich collection of ready-to-use templates, widgets, icon packs, and section blocks. Its goal is to simplify WordPress site creation for users with minimal coding experience.
The vulnerability lies in the plugin’s install_requirements() function, which can be invoked via the wp_ajax_install_requirements hook. It lacked both a permission check and a nonce validation—opening the door for any authenticated user, including those with the basic Subscriber role, to exploit the endpoint.
“Since there is no proper permission and nonce check on the function, any authenticated users such as Subscriber role users are able to arbitrarily install and activate any plugin on the site,” Patchstack explains.
This means a low-privileged user could install and activate a malicious plugin, ultimately achieving Remote Code Execution on the server hosting the vulnerable WordPress site.
If your WordPress site uses RomethemeKit for Elementor, it is crucial that you immediately update to version 1.5.5 or later to mitigate risk.
Related Posts:
- Massive WordPress Plugin Vulnerability Exposes Millions to XSS Attacks
- Privilege escalation in WordPress Elementor plugin affects 1M sites
- WordPress Plugin Zero-Day Affects 200k Sites
- Elementor Exposed 5 Million Websites to Hackers
- RCE in JetElements For Elementor Plugin affects 300,000 websites
About The Author
