A newly disclosed vulnerability in the popular RomethemeKit For Elementor WordPress pluginβinstalled on over 30,000 active sitesβcould allow authenticated users to gain remote code execution (RCE) capabilities due to improper permission and nonce checks. The flaw, tracked as CVE-2025-30911, has been assigned a critical CVSS score of 9.9.
βThe RomethemeKit For Elementor plugin suffered from an authenticated Arbitrary Plugin Installation/Activation to RCE vulnerability,β Patchstack reports in their recent security advisory.
RomethemeKit is a toolkit designed for Elementor website builders, offering a rich collection of ready-to-use templates, widgets, icon packs, and section blocks. Its goal is to simplify WordPress site creation for users with minimal coding experience.
The vulnerability lies in the pluginβs install_requirements() function, which can be invoked via the wp_ajax_install_requirements hook. It lacked both a permission check and a nonce validationβopening the door for any authenticated user, including those with the basic Subscriber role, to exploit the endpoint.
βSince there is no proper permission and nonce check on the function, any authenticated users such as Subscriber role users are able to arbitrarily install and activate any plugin on the site,β Patchstack explains.
This means a low-privileged user could install and activate a malicious plugin, ultimately achieving Remote Code Execution on the server hosting the vulnerable WordPress site.
If your WordPress site uses RomethemeKit for Elementor, it is crucial that you immediately update to version 1.5.5 or later to mitigate risk.