Local File Inclusion Vulnerability in RTMKit Plugin for WordPress
CVE-2026-5137
4.3MEDIUM
What is CVE-2026-5137?
The RTMKit plugin for WordPress is susceptible to a local file inclusion vulnerability caused by inadequate path validation on the 'template' parameter in the render_templates AJAX endpoint. This vulnerability enables authenticated attackers with Contributor-level access or higher to include and execute any PHP file ending with _templates.php on the server. The lack of sanitization in the corresponding require/include statement increases the risk of unauthorized code execution, potentially compromising the security of affected WordPress installations.
Affected Version(s)
RTMKit 0 <= 2.0.7